JUDGMENT  OF  THE  COURT  (Grand  Chamber) 
6 October  2015  (2) 


(Reference  for  a preliminary  ruling  — Personal  data  — Protection  of  individuals  with  regard  to  the 
processing  of  such  data  — Charter  of  Fundamental  Rights  of  the  European  Union  — Articles  7,  8 
and  47  — Directive  95/46/EC  — Articles  25  and  28  — Transfer  of  personal  data  to  third 
countries  — Decision  2000/520/EC  — Transfer  of  personal  data  to  the  United  States  — Inadequate 
level  of  protection  — Validity  — Complaint  by  an  individual  whose  data  has  been  transferred  from 
the  European  Union  to  the  United  States  — Powers  of  the  national  supervisory  authorities) 


In  Case  C-362/14, 

REQUEST  for  a preliminary  ruling  under  Article  267  TFEU  from  the  High  Court  (Ireland),  made 
by  decision  of  17  July  2014,  received  at  the  Court  on  25  July  2014,  in  the  proceedings 

Maximillian  Schrems 

v 

Data  Protection  Commissioner, 

joined  party: 

Digital  Rights  Ireland  Ltd, 


THE  COURT  (Grand  Chamber), 

composed  of  V.  Skouris,  President,  K.  Lenaerts,  Vice-President,  A.  Tizzano,  R.  Silva  de  Lapuerta, 
T.  von  Danwitz  (Rapporteur),  S.  Rodin  and  K.  Jurimae,  Presidents  of  Chambers,  A.  Rosas, 

V 

E.  Juhasz,  A.  Borg  Barthet,  J.  Malenovsky,  D.  Svaby,  M.  Berger,  F.  Biltgen  and  C.  Lycourgos, 
Judges, 

Advocate  General:  Y.  Bot, 

Registrar:  L.  Hewlett,  Principal  Administrator, 

having  regard  to  the  written  procedure  and  further  to  the  hearing  on  24  March  2015, 

after  considering  the  observations  submitted  on  behalf  of: 

Mr  Schrems,  by  N.  Travers,  Senior  Counsel,  P.  O’Shea,  Barrister- at-Law,  G.  Rudden, 
Solicitor,  and  H.  Hofmann,  Rechtsanwalt, 

- the  Data  Protection  Commissioner,  by  P.  McDermott,  Barrister- at-Law,  S.  More  O’Ferrall  and 
D.  Young,  Solicitors, 

- Digital  Rights  Ireland  Ltd,  by  F.  Crehan,  Barrister- at-Law,  and  S.  McGarr  and  E.  McGarr, 
Solicitors, 

Ireland,  by  A.  Joyce,  B.  Counihan  and  E.  Creedon,  acting  as  Agents,  and  D.  Fennelly, 
B arrister- at-Law, 


- the  Belgian  Government,  by  J.-C.  Halleux  and  C.  Pochet,  acting  as  Agents, 

- the  Czech  Government,  by  M.  Smolek  and  J.  Vlacil,  acting  as  Agents, 

- the  Italian  Government,  by  G.  Palmieri,  acting  as  Agent,  and  P.  Gentili,  avvocato  dello  Stato, 

- the  Austrian  Government,  by  G.  Hesse  and  G.  Kunnert,  acting  as  Agents, 

- the  Polish  Government,  by  M.  Kamejsza,  M.  Pawlicka  and  B.  Majczyna,  acting  as  Agents, 

- the  Slovenian  Government,  by  A.  Grum  and  V.  Klemenc,  acting  as  Agents, 

- the  United  Kingdom  Government,  by  L.  Christie  and  J.  Beeko,  acting  as  Agents,  and 
J.  Holmes,  Barrister, 

- the  European  Parliament,  by  D.  Moore,  A.  Caiola  and  M.  Pencheva,  acting  as  Agents, 

- the  European  Commission,  by  B.  Schima,  B.  Martenczuk,  B.  Smulders  and  J.  Vondung, 
acting  as  Agents, 

the  European  Data  Protection  Supervisor  (EDPS),  by  C.  Docksey,  A.  Buchta  and  V.  Perez 
Asinari,  acting  as  Agents, 

after  hearing  the  Opinion  of  the  Advocate  General  at  the  sitting  on  23  September  2015, 
gives  the  following 


Judgment 


This  request  for  a preliminary  ruling  relates  to  the  interpretation,  in  the  light  of  Articles  7,  8 and  47 
of  the  Charter  of  Fundamental  Rights  of  the  European  Union  (‘the  Charter’),  of  Articles  25(6)  and 
28  of  Directive  95/46/EC  of  the  European  Parliament  and  of  the  Council  of  24  October  1995  on  the 
protection  of  individuals  with  regard  to  the  processing  of  personal  data  and  on  the  free  movement  of 
such  data  (OJ  1995  L 281,  p.  31),  as  amended  by  Regulation  (EC)  No  1882/2003  of  the  European 
Parliament  and  of  the  Council  of  29  September  2003  (OJ  2003  L 284,  p.  1)  (‘Directive  95/46’),  and, 
in  essence,  to  the  validity  of  Commission  Decision  2000/520/EC  of  26  July  2000  pursuant  to 
Directive  95/46  on  the  adequacy  of  the  protection  provided  by  the  safe  harbour  privacy  principles 
and  related  frequently  asked  questions  issued  by  the  US  Department  of  Commerce  (OJ  2000  L 215, 
p.7). 

The  request  has  been  made  in  proceedings  between  Mr  Schrems  and  the  Data  Protection 
Commissioner  (‘the  Commissioner’)  concerning  the  latter’s  refusal  to  investigate  a complaint  made 
by  Mr  Schrems  regarding  the  fact  that  Facebook  Ireland  Ltd  (‘Facebook  Ireland’)  transfers  the 
personal  data  of  its  users  to  the  United  States  of  America  and  keeps  it  on  servers  located  in  that 
country. 


Legal  context 

Directive  95/46 

Recitals  2,  10,  56,  57,  60,  62  and  63  in  the  preamble  to  Directive  95/46  are  worded  as  follows: 

‘(2)  ...  data-processing  systems  are  designed  to  serve  man;  . . . they  must,  whatever  the  nationality 


or  residence  of  natural  persons,  respect  their  fundamental  rights  and  freedoms,  notably  the 
right  to  privacy,  and  contribute  to  . . . the  well-being  of  individuals; 


(10)  ...  the  object  of  the  national  laws  on  the  processing  of  personal  data  is  to  protect 

fundamental  rights  and  freedoms,  notably  the  right  to  privacy,  which  is  recognised  both  in 
Article  8 of  the  European  Convention  for  the  Protection  of  Human  Rights  and  Fundamental 
Freedoms [,  signed  in  Rome  on  4 November  1950,]  and  in  the  general  principles  of 
Community  law;  ...,  for  that  reason,  the  approximation  of  those  laws  must  not  result  in  any 
lessening  of  the  protection  they  afford  but  must,  on  the  contrary,  seek  to  ensure  a high  level  of 
protection  in  the  Community; 


(56)  . . . cross-border  flows  of  personal  data  are  necessary  to  the  expansion  of  international  trade; 
. . . the  protection  of  individuals  guaranteed  in  the  Community  by  this  Directive  does  not  stand 
in  the  way  of  transfers  of  personal  data  to  third  countries  which  ensure  an  adequate  level  of 
protection;  ...  the  adequacy  of  the  level  of  protection  afforded  by  a third  country  must  be 
assessed  in  the  light  of  all  the  circumstances  surrounding  the  transfer  operation  or  set  of 
transfer  operations; 

(57)  ...  on  the  other  hand,  the  transfer  of  personal  data  to  a third  country  which  does  not  ensure 
an  adequate  level  of  protection  must  be  prohibited; 


(60)  ...  in  any  event,  transfers  to  third  countries  may  be  effected  only  in  full  compliance  with  the 

provisions  adopted  by  the  Member  States  pursuant  to  this  Directive,  and  in  particular  Article  8 
thereof; 


(62)  . . . the  establishment  in  Member  States  of  supervisory  authorities,  exercising  their  functions 
with  complete  independence,  is  an  essential  component  of  the  protection  of  individuals  with 
regard  to  the  processing  of  personal  data; 

(63)  . . . such  authorities  must  have  the  necessary  means  to  perform  their  duties,  including  powers 
of  investigation  and  intervention,  particularly  in  cases  of  complaints  from  individuals,  and 
powers  to  engage  in  legal  proceedings;  ...’ 

Articles  1, 2,  25,  26,  28  and  31  of  Directive  95/46  provide: 

‘ Article  1 

Object  of  the  Directive 

1.  In  accordance  with  this  Directive,  Member  States  shall  protect  the  fundamental  rights  and 

freedoms  of  natural  persons,  and  in  particular  their  right  to  privacy  with  respect  to  the  processing  of 

personal  data. 


Article  2 


Definitions 


For  the  purposes  of  this  Directive: 


(a)  “personal  data”  shall  mean  any  information  relating  to  an  identified  or  identifiable  natural 
person  (“data  subject”);  an  identifiable  person  is  one  who  can  be  identified,  directly  or 
indirectly,  in  particular  by  reference  to  an  identification  number  or  to  one  or  more  factors 
specific  to  his  physical,  physiological,  mental,  economic,  cultural  or  social  identity; 

(b)  “processing  of  personal  data”  (“processing”)  shall  mean  any  operation  or  set  of  operations 
which  is  performed  upon  personal  data,  whether  or  not  by  automatic  means,  such  as 
collection,  recording,  organisation,  storage,  adaptation  or  alteration,  retrieval,  consultation, 
use,  disclosure  by  transmission,  dissemination  or  otherwise  making  available,  alignment  or 
combination,  blocking,  erasure  or  destruction; 


(d)  “controller”  shall  mean  the  natural  or  legal  person,  public  authority,  agency  or  any  other  body 
which  alone  or  jointly  with  others  determines  the  purposes  and  means  of  the  processing  of 
personal  data;  where  the  purposes  and  means  of  processing  are  determined  by  national  or 
Community  laws  or  regulations,  the  controller  or  the  specific  criteria  for  his  nomination  may 
be  designated  by  national  or  Community  law; 


Article  25 
Principles 

1 . The  Member  States  shall  provide  that  the  transfer  to  a third  country  of  personal  data  which  are 
undergoing  processing  or  are  intended  for  processing  after  transfer  may  take  place  only  if,  without 
prejudice  to  compliance  with  the  national  provisions  adopted  pursuant  to  the  other  provisions  of  this 
Directive,  the  third  country  in  question  ensures  an  adequate  level  of  protection. 

2.  The  adequacy  of  the  level  of  protection  afforded  by  a third  country  shall  be  assessed  in  the 
light  of  all  the  circumstances  surrounding  a data  transfer  operation  or  set  of  data  transfer  operations; 
particular  consideration  shall  be  given  to  the  nature  of  the  data,  the  purpose  and  duration  of  the 
proposed  processing  operation  or  operations,  the  country  of  origin  and  country  of  final  destination, 
the  rules  of  law,  both  general  and  sectoral,  in  force  in  the  third  country  in  question  and  the 
professional  rules  and  security  measures  which  are  complied  with  in  that  country. 

3 . The  Member  States  and  the  Commission  shall  inform  each  other  of  cases  where  they  consider 
that  a third  country  does  not  ensure  an  adequate  level  of  protection  within  the  meaning  of 
paragraph  2. 

4.  Where  the  Commission  finds,  under  the  procedure  provided  for  in  Article  31(2),  that  a third 
country  does  not  ensure  an  adequate  level  of  protection  within  the  meaning  of  paragraph  2 of  this 
Article,  Member  States  shall  take  the  measures  necessary  to  prevent  any  transfer  of  data  of  the  same 
type  to  the  third  country  in  question. 

5.  At  the  appropriate  time,  the  Commission  shall  enter  into  negotiations  with  a view  to 
remedying  the  situation  resulting  from  the  finding  made  pursuant  to  paragraph  4. 

6.  The  Commission  may  find,  in  accordance  with  the  procedure  referred  to  in  Article  31(2),  that 
a third  country  ensures  an  adequate  level  of  protection  within  the  meaning  of  paragraph  2 of  this 
Article,  by  reason  of  its  domestic  law  or  of  the  international  commitments  it  has  entered  into, 
particularly  upon  conclusion  of  the  negotiations  referred  to  in  paragraph  5,  for  the  protection  of  the 


private  lives  and  basic  freedoms  and  rights  of  individuals. 

Member  States  shall  take  the  measures  necessary  to  comply  with  the  Commission’s  decision. 

Article  26 
Derogations 

1 . By  way  of  derogation  from  Article  25  and  save  where  otherwise  provided  by  domestic  law 
governing  particular  cases,  Member  States  shall  provide  that  a transfer  or  a set  of  transfers  of 
personal  data  to  a third  country  which  does  not  ensure  an  adequate  level  of  protection  within  the 
meaning  of  Article  25(2)  may  take  place  on  condition  that: 

(a)  the  data  subject  has  given  his  consent  unambiguously  to  the  proposed  transfer;  or 

(b)  the  transfer  is  necessary  for  the  performance  of  a contract  between  the  data  subject  and  the 
controller  or  the  implementation  of  precontractual  measures  taken  in  response  to  the  data 
subject’s  request;  or 

(c)  the  transfer  is  necessary  for  the  conclusion  or  performance  of  a contract  concluded  in  the 
interest  of  the  data  subject  between  the  controller  and  a third  party;  or 

(d)  the  transfer  is  necessary  or  legally  required  on  important  public  interest  grounds,  or  for  the 
establishment,  exercise  or  defence  of  legal  claims;  or 

(e)  the  transfer  is  necessary  in  order  to  protect  the  vital  interests  of  the  data  subject;  or 

(f)  the  transfer  is  made  from  a register  which  according  to  laws  or  regulations  is  intended  to 
provide  information  to  the  public  and  which  is  open  to  consultation  either  by  the  public  in 
general  or  by  any  person  who  can  demonstrate  legitimate  interest,  to  the  extent  that  the 
conditions  laid  down  in  law  for  consultation  are  fulfilled  in  the  particular  case. 

2.  Without  prejudice  to  paragraph  1 , a Member  State  may  authorise  a transfer  or  a set  of  transfers 
of  personal  data  to  a third  country  which  does  not  ensure  an  adequate  level  of  protection  within  the 
meaning  of  Article  25(2),  where  the  controller  adduces  adequate  safeguards  with  respect  to  the 
protection  of  the  privacy  and  fundamental  rights  and  freedoms  of  individuals  and  as  regards  the 
exercise  of  the  corresponding  rights;  such  safeguards  may  in  particular  result  from  appropriate 
contractual  clauses. 

3.  The  Member  State  shall  inform  the  Commission  and  the  other  Member  States  of  the 
authorisations  it  grants  pursuant  to  paragraph  2. 

If  a Member  State  or  the  Commission  objects  on  justified  grounds  involving  the  protection  of  the 
privacy  and  fundamental  rights  and  freedoms  of  individuals,  the  Commission  shall  take  appropriate 
measures  in  accordance  with  the  procedure  laid  down  in  Article  31(2). 

Member  States  shall  take  the  necessary  measures  to  comply  with  the  Commission’s  decision. 


Article  28 

Supervisory  authority 


1.  Each  Member  State  shall  provide  that  one  or  more  public  authorities  are  responsible  for 
monitoring  the  application  within  its  territory  of  the  provisions  adopted  by  the  Member  States 


pursuant  to  this  Directive. 


These  authorities  shall  act  with  complete  independence  in  exercising  the  functions  entrusted  to 
them. 

2.  Each  Member  State  shall  provide  that  the  supervisory  authorities  are  consulted  when  drawing 
up  administrative  measures  or  regulations  relating  to  the  protection  of  individuals’  rights  and 
freedoms  with  regard  to  the  processing  of  personal  data. 

3 . Each  authority  shall  in  particular  be  endowed  with: 

investigative  powers,  such  as  powers  of  access  to  data  forming  the  subject-matter  of 
processing  operations  and  powers  to  collect  all  the  information  necessary  for  the  performance 
of  its  supervisory  duties, 

- effective  powers  of  intervention,  such  as,  for  example,  that  of  delivering  opinions  before 

processing  operations  are  carried  out,  in  accordance  with  Article  20,  and  ensuring  appropriate 
publication  of  such  opinions,  of  ordering  the  blocking,  erasure  or  destruction  of  data,  of 
imposing  a temporary  or  definitive  ban  on  processing,  of  warning  or  admonishing  the 
controller,  or  that  of  referring  the  matter  to  national  parliaments  or  other  political  institutions, 

the  power  to  engage  in  legal  proceedings  where  the  national  provisions  adopted  pursuant  to 
this  Directive  have  been  violated  or  to  bring  these  violations  to  the  attention  of  the  judicial 
authorities. 

Decisions  by  the  supervisory  authority  which  give  rise  to  complaints  may  be  appealed  against 
through  the  courts. 

4.  Each  supervisory  authority  shall  hear  claims  lodged  by  any  person,  or  by  an  association 
representing  that  person,  concerning  the  protection  of  his  rights  and  freedoms  in  regard  to  the 
processing  of  personal  data.  The  person  concerned  shall  be  informed  of  the  outcome  of  the  claim. 

Each  supervisory  authority  shall,  in  particular,  hear  claims  for  checks  on  the  lawfulness  of  data 
processing  lodged  by  any  person  when  the  national  provisions  adopted  pursuant  to  Article  13  of  this 
Directive  apply.  The  person  shall  at  any  rate  be  informed  that  a check  has  taken  place. 


6.  Each  supervisory  authority  is  competent,  whatever  the  national  law  applicable  to  the 

processing  in  question,  to  exercise,  on  the  territory  of  its  own  Member  State,  the  powers  conferred 
on  it  in  accordance  with  paragraph  3 . Each  authority  may  be  requested  to  exercise  its  powers  by  an 
authority  of  another  Member  State. 


Article  31 


2.  Where  reference  is  made  to  this  Article,  Articles  4 and  7 of  [Council]  Decision  1999/468/EC 
[of  28  June  1999  laying  down  the  procedures  for  the  exercise  of  implementing  powers  conferred  on 
the  Commission  (OJ  1999  L 184,  p.  23)]  shall  apply,  having  regard  to  the  provisions  of  Article  8 
thereof. 


Decision  2000/520 


Decision  2000/520  was  adopted  by  the  Commission  on  the  basis  of  Article  25(6)  of  Directive 
95/46. 

Recitals  2,  5 and  8 in  the  preamble  to  that  decision  are  worded  as  follows: 

‘(2)  The  Commission  may  find  that  a third  country  ensures  an  adequate  level  of  protection.  In 
that  case  personal  data  may  be  transferred  from  the  Member  States  without  additional 
guarantees  being  necessary. 


(5)  The  adequate  level  of  protection  for  the  transfer  of  data  from  the  Community  to  the  United 
States  recognised  by  this  Decision,  should  be  attained  if  organisations  comply  with  the  safe 
harbour  privacy  principles  for  the  protection  of  personal  data  transferred  from  a Member  State 
to  the  United  States  (hereinafter  “the  Principles”)  and  the  frequently  asked  questions 
(hereinafter  “the  FAQs”)  providing  guidance  for  the  implementation  of  the  Principles  issued 
by  the  Government  of  the  United  States  on  21  July  2000.  Furthermore  the  organisations 
should  publicly  disclose  their  privacy  policies  and  be  subject  to  the  jurisdiction  of  the  Federal 
Trade  Commission  (FTC)  under  Section  5 of  the  Federal  Trade  Commission  Act  which 
prohibits  unfair  or  deceptive  acts  or  practices  in  or  affecting  commerce,  or  that  of  another 
statutory  body  that  will  effectively  ensure  compliance  with  the  Principles  implemented  in 
accordance  with  the  FAQs. 


(8)  In  the  interests  of  transparency  and  in  order  to  safeguard  the  ability  of  the  competent 
authorities  in  the  Member  States  to  ensure  the  protection  of  individuals  as  regards  the 
processing  of  their  personal  data,  it  is  necessary  to  specify  in  this  Decision  the  exceptional 
circumstances  in  which  the  suspension  of  specific  data  flows  should  be  justified, 
notwithstanding  the  finding  of  adequate  protection.’ 

Articles  1 to  4 of  Decision  2000/520  provide: 

‘ Article  1 

1 . For  the  purposes  of  Article  25(2)  of  Directive  95/46/EC,  for  all  the  activities  falling  within  the 
scope  of  that  Directive,  the  “Safe  Harbour  Privacy  Principles”  (hereinafter  “the  Principles”),  as  set 
out  in  Annex  I to  this  Decision,  implemented  in  accordance  with  the  guidance  provided  by  the 
frequently  asked  questions  (hereinafter  “the  FAQs”)  issued  by  the  US  Department  of  Commerce  on 
21  July  2000  as  set  out  in  Annex  II  to  this  Decision  are  considered  to  ensure  an  adequate  level  of 
protection  for  personal  data  transferred  from  the  Community  to  organisations  established  in  the 
United  States,  having  regard  to  the  following  documents  issued  by  the  US  Department  of 
Commerce: 

(a)  the  safe  harbour  enforcement  overview  set  out  in  Annex  III; 

(b)  a memorandum  on  damages  for  breaches  of  privacy  and  explicit  authorisations  in  US  law  set 
out  in  Annex  IV; 

(c)  a letter  from  the  Federal  Trade  Commission  set  out  in  Annex  V; 

(d)  a letter  from  the  US  Department  of  Transportation  set  out  in  Annex  VI. 


2.  In  relation  to  each  transfer  of  data  the  following  conditions  shall  be  met: 

(a)  the  organisation  receiving  the  data  has  unambiguously  and  publicly  disclosed  its  commitment 
to  comply  with  the  Principles  implemented  in  accordance  with  the  FAQs;  and 

(b)  the  organisation  is  subject  to  the  statutory  powers  of  a government  body  in  the  United  States 
listed  in  Annex  VII  to  this  Decision  which  is  empowered  to  investigate  complaints  and  to 
obtain  relief  against  unfair  or  deceptive  practices  as  well  as  redress  for  individuals, 
irrespective  of  their  country  of  residence  or  nationality,  in  case  of  non-compliance  with  the 
Principles  implemented  in  accordance  with  the  FAQs. 

3 . The  conditions  set  out  in  paragraph  2 are  considered  to  be  met  for  each  organisation  that  self- 
certifies  its  adherence  to  the  Principles  implemented  in  accordance  with  the  FAQs  from  the  date  on 
which  the  organisation  notifies  to  the  US  Department  of  Commerce  (or  its  designee)  the  public 
disclosure  of  the  commitment  referred  to  in  paragraph  2(a)  and  the  identity  of  the  government  body 
referred  to  in  paragraph  2(b). 

Article  2 

This  Decision  concerns  only  the  adequacy  of  protection  provided  in  the  United  States  under  the 
Principles  implemented  in  accordance  with  the  FAQs  with  a view  to  meeting  the  requirements  of 
Article  25(1)  of  Directive  95/46/EC  and  does  not  affect  the  application  of  other  provisions  of  that 
Directive  that  pertain  to  the  processing  of  personal  data  within  the  Member  States,  in  particular 
Article  4 thereof. 

Article  3 

1 . Without  prejudice  to  their  powers  to  take  action  to  ensure  compliance  with  national  provisions 
adopted  pursuant  to  provisions  other  than  Article  25  of  Directive  95/46/EC,  the  competent 
authorities  in  Member  States  may  exercise  their  existing  powers  to  suspend  data  flows  to  an 
organisation  that  has  self-certified  its  adherence  to  the  Principles  implemented  in  accordance  with 
the  FAQs  in  order  to  protect  individuals  with  regard  to  the  processing  of  their  personal  data  in  cases 
where: 

(a)  the  government  body  in  the  United  States  referred  to  in  Annex  VII  to  this  Decision  or  an 
independent  recourse  mechanism  within  the  meaning  of  letter  (a)  of  the  Enforcement  Principle 
set  out  in  Annex  I to  this  Decision  has  determined  that  the  organisation  is  violating  the 
Principles  implemented  in  accordance  with  the  FAQs;  or 

(b)  there  is  a substantial  likelihood  that  the  Principles  are  being  violated;  there  is  a reasonable 
basis  for  believing  that  the  enforcement  mechanism  concerned  is  not  taking  or  will  not  take 
adequate  and  timely  steps  to  settle  the  case  at  issue;  the  continuing  transfer  would  create  an 
imminent  risk  of  grave  harm  to  data  subjects;  and  the  competent  authorities  in  the  Member 
State  have  made  reasonable  efforts  under  the  circumstances  to  provide  the  organisation  with 
notice  and  an  opportunity  to  respond. 

The  suspension  shall  cease  as  soon  as  compliance  with  the  Principles  implemented  in  accordance 
with  the  FAQs  is  assured  and  the  competent  authorities  concerned  in  the  Community  are  notified 
thereof. 

2.  Member  States  shall  inform  the  Commission  without  delay  when  measures  are  adopted  on  the 
basis  of  paragraph  1 . 

3 . The  Member  States  and  the  Commission  shall  also  inform  each  other  of  cases  where  the  action 
of  bodies  responsible  for  ensuring  compliance  with  the  Principles  implemented  in  accordance  with 


the  FAQs  in  the  United  States  fails  to  secure  such  compliance. 

4.  If  the  information  collected  under  paragraphs  1,  2 and  3 provides  evidence  that  any  body 
responsible  for  ensuring  compliance  with  the  Principles  implemented  in  accordance  with  the  FAQs 
in  the  United  States  is  not  effectively  fulfilling  its  role,  the  Commission  shall  inform  the  US 
Department  of  Commerce  and,  if  necessary,  present  draft  measures  in  accordance  with  the 
procedure  referred  to  in  Article  31  of  Directive  95/46/EC  with  a view  to  reversing  or  suspending  the 
present  Decision  or  limiting  its  scope. 

Article  4 

1 . This  Decision  may  be  adapted  at  any  time  in  the  light  of  experience  with  its  implementation 
and/or  if  the  level  of  protection  provided  by  the  Principles  and  the  FAQs  is  overtaken  by  the 
requirements  of  US  legislation. 

The  Commission  shall  in  any  case  evaluate  the  implementation  of  the  present  Decision  on  the  basis 
of  available  information  three  years  after  its  notification  to  the  Member  States  and  report  any 
pertinent  findings  to  the  Committee  established  under  Article  31  of  Directive  95/46/EC,  including 
any  evidence  that  could  affect  the  evaluation  that  the  provisions  set  out  in  Article  1 of  this  Decision 
provide  adequate  protection  within  the  meaning  of  Article  25  of  Directive  95/46/EC  and  any 
evidence  that  the  present  Decision  is  being  implemented  in  a discriminatory  way. 

2.  The  Commission  shall,  if  necessary,  present  draft  measures  in  accordance  with  the  procedure 
referred  to  in  Article  31  of  Directive  95/46/EC. ’ 

Annex  I to  Decision  2000/520  is  worded  as  follows: 

‘Safe  Harbour  Privacy  Principles 

issued  by  the  US  Department  of  Commerce  on  21  July  2000 

...  the  Department  of  Commerce  is  issuing  this  document  and  Frequently  Asked  Questions  (“the 
Principles”)  under  its  statutory  authority  to  foster,  promote,  and  develop  international  commerce. 
The  Principles  were  developed  in  consultation  with  industry  and  the  general  public  to  facilitate  trade 
and  commerce  between  the  United  States  and  European  Union.  They  are  intended  for  use  solely  by 
US  organisations  receiving  personal  data  from  the  European  Union  for  the  purpose  of  qualifying  for 
the  safe  harbour  and  the  presumption  of  “adequacy”  it  creates.  Because  the  Principles  were  solely 
designed  to  serve  this  specific  purpose,  their  adoption  for  other  purposes  may  be  inappropriate.  . . . 

Decisions  by  organisations  to  qualify  for  the  safe  harbour  are  entirely  voluntary,  and  organisations 
may  qualify  for  the  safe  harbour  in  different  ways.  ... 

Adherence  to  these  Principles  may  be  limited:  (a)  to  the  extent  necessary  to  meet  national  security, 
public  interest,  or  law  enforcement  requirements;  (b)  by  statute,  government  regulation,  or  case-law 
that  create  conflicting  obligations  or  explicit  authorisations,  provided  that,  in  exercising  any  such 
authorisation,  an  organisation  can  demonstrate  that  its  non-compliance  with  the  Principles  is  limited 
to  the  extent  necessary  to  meet  the  overriding  legitimate  interests  furthered  by  such  authorisation;  or 
(c)  if  the  effect  of  the  Directive  [or]  Member  State  law  is  to  allow  exceptions  or  derogations, 
provided  such  exceptions  or  derogations  are  applied  in  comparable  contexts.  Consistent  with  the 
goal  of  enhancing  privacy  protection,  organisations  should  strive  to  implement  these  Principles  fully 
and  transparently,  including  indicating  in  their  privacy  policies  where  exceptions  to  the  Principles 
permitted  by  (b)  above  will  apply  on  a regular  basis.  For  the  same  reason,  where  the  option  is 
allowable  under  the  Principles  and/or  US  law,  organisations  are  expected  to  opt  for  the  higher 
protection  where  possible. 


Annex  II  to  Decision  2000/520  reads  as  follows: 


‘Frequently  Asked  Questions  (FAQs) 


FAQ  6 — Self-Certification 

Q:  How  does  an  organisation  self- certify  that  it  adheres  to  the  Safe  Harbour  Principles? 

A:  Safe  harbour  benefits  are  assured  from  the  date  on  which  an  organisation  self-certifies  to  the 

Department  of  Commerce  (or  its  designee)  its  adherence  to  the  Principles  in  accordance  with 
the  guidance  set  forth  below. 

To  self-certify  for  the  safe  harbour,  organisations  can  provide  to  the  Department  of  Commerce 
(or  its  designee)  a letter,  signed  by  a corporate  officer  on  behalf  of  the  organisation  that  is 
joining  the  safe  harbour,  that  contains  at  least  the  following  information: 

1 . name  of  organisation,  mailing  address,  e-mail  address,  telephone  and  fax  numbers; 

2.  description  of  the  activities  of  the  organisation  with  respect  to  personal  information 
received  from  the  [European  Union] ; and 

3.  description  of  the  organisation’s  privacy  policy  for  such  personal  information,  including: 
(a)  where  the  privacy  policy  is  available  for  viewing  by  the  public,  (b)  its  effective  date 
of  implementation,  (c)  a contact  office  for  the  handling  of  complaints,  access  requests, 
and  any  other  issues  arising  under  the  safe  harbour,  (d)  the  specific  statutory  body  that 
has  jurisdiction  to  hear  any  claims  against  the  organisation  regarding  possible  unfair  or 
deceptive  practices  and  violations  of  laws  or  regulations  governing  privacy  (and  that  is 
listed  in  the  annex  to  the  Principles),  (e)  name  of  any  privacy  programmes  in  which  the 
organisation  is  a member,  (f)  method  of  verification  (e.g.  in-house,  third  party)  ...,  and 
(g)  the  independent  recourse  mechanism  that  is  available  to  investigate  unresolved 
complaints. 

Where  the  organisation  wishes  its  safe  harbour  benefits  to  cover  human  resources  information 
transferred  from  the  [European  Union]  for  use  in  the  context  of  the  employment  relationship, 
it  may  do  so  where  there  is  a statutory  body  with  jurisdiction  to  hear  claims  against  the 
organisation  arising  out  of  human  resources  information  that  is  listed  in  the  annex  to  the 
Principles.  ... 

The  Department  (or  its  designee)  will  maintain  a list  of  all  organisations  that  file  such  letters, 
thereby  assuring  the  availability  of  safe  harbour  benefits,  and  will  update  such  list  on  the  basis 
of  annual  letters  and  notifications  received  pursuant  to  FAQ  11 . ... 


FAQ  1 1 — Dispute  Resolution  and  Enforcement 

Q:  How  should  the  dispute  resolution  requirements  of  the  Enforcement  Principle  be  implemented, 

and  how  will  an  organisation ’s  persistent  failure  to  comply  with  the  Principles  be  handled? 

A:  The  Enforcement  Principle  sets  out  the  requirements  for  safe  harbour  enforcement.  How  to 

meet  the  requirements  of  point  (b)  of  the  Principle  is  set  out  in  the  FAQ  on  verification  (FAQ 
7).  This  FAQ  11  addresses  points  (a)  and  (c),  both  of  which  require  independent  recourse 


mechanisms.  These  mechanisms  may  take  different  forms,  but  they  must  meet  the 
Enforcement  Principle’s  requirements.  Organisations  may  satisfy  the  requirements  through  the 
following:  (1)  compliance  with  private  sector  developed  privacy  programmes  that  incorporate 
the  Safe  Harbour  Principles  into  their  rules  and  that  include  effective  enforcement 
mechanisms  of  the  type  described  in  the  Enforcement  Principle;  (2)  compliance  with  legal  or 
regulatory  supervisory  authorities  that  provide  for  handling  of  individual  complaints  and 
dispute  resolution;  or  (3)  commitment  to  cooperate  with  data  protection  authorities  located  in 
the  European  Union  or  their  authorised  representatives.  This  list  is  intended  to  be  illustrative 
and  not  limiting.  The  private  sector  may  design  other  mechanisms  to  provide  enforcement,  so 
long  as  they  meet  the  requirements  of  the  Enforcement  Principle  and  the  FAQs.  Please  note 
that  the  Enforcement  Principle’s  requirements  are  additional  to  the  requirements  set  forth  in 
paragraph  3 of  the  introduction  to  the  Principles  that  self-regulatory  efforts  must  be 
enforceable  under  Article  5 of  the  Federal  Trade  Commission  Act  or  similar  statute. 

Recourse  Mechanisms 

Consumers  should  be  encouraged  to  raise  any  complaints  they  may  have  with  the  relevant 
organisation  before  proceeding  to  independent  recourse  mechanisms.  ... 


FTC  Action 

The  FTC  has  committed  to  reviewing  on  a priority  basis  referrals  received  from  privacy  self- 
regulatory  organisations,  such  as  BBBOnline  and  TRUSTe,  and  EU  Member  States  alleging 
non-compliance  with  the  Safe  Harbour  Principles  to  determine  whether  Section  5 of  the  FTC 
Act  prohibiting  unfair  or  deceptive  acts  or  practices  in  commerce  has  been  violated.  ... 


Annex  IV  to  Decision  2000/520  states: 

‘Damages  for  Breaches  of  Privacy,  Legal  Authorisations  and  Mergers  and  Takeovers  in  US  Law 

This  responds  to  the  request  by  the  European  Commission  for  clarification  of  US  law  with  respect  to 
(a)  claims  for  damages  for  breaches  of  privacy,  (b)  “explicit  authorisations”  in  US  law  for  the  use  of 
personal  information  in  a manner  inconsistent  with  the  safe  harbour  principles,  and  (c)  the  effect  of 
mergers  and  takeovers  on  obligations  undertaken  pursuant  to  the  safe  harbour  principles. 


B . Explicit  Legal  Authorisations 

The  safe  harbour  principles  contain  an  exception  where  statute,  regulation  or  case-law  create 
“conflicting  obligations  or  explicit  authorisations,  provided  that,  in  exercising  any  such 
authorisation,  an  organisation  can  demonstrate  that  its  non-compliance  with  the  principles  is  limited 
to  the  extent  necessary  to  meet  the  overriding  legitimate  interests  further[ed]  by  such  authorisation”. 
Clearly,  where  US  law  imposes  a conflicting  obligation,  US  organisations  whether  in  the  safe 
harbour  or  not  must  comply  with  the  law.  As  for  explicit  authorisations,  while  the  safe  harbour 
principles  are  intended  to  bridge  the  differences  between  the  US  and  European  regimes  for  privacy 
protection,  we  owe  deference  to  the  legislative  prerogatives  of  our  elected  lawmakers.  The  limited 
exception  from  strict  adherence  to  the  safe  harbour  principles  seeks  to  strike  a balance  to 
accommodate  the  legitimate  interests  on  each  side. 

The  exception  is  limited  to  cases  where  there  is  an  explicit  authorisation.  Therefore,  as  a threshold 


matter,  the  relevant  statute,  regulation  or  court  decision  must  affirmatively  authorise  the  particular 
conduct  by  safe  harbour  organisations  ...  In  other  words,  the  exception  would  not  apply  where  the 
law  is  silent.  In  addition,  the  exception  would  apply  only  if  the  explicit  authorisation  conflicts  with 
adherence  to  the  safe  harbour  principles.  Even  then,  the  exception  “is  limited  to  the  extent  necessary 
to  meet  the  overriding  legitimate  interests  furthered  by  such  authorisation”.  By  way  of  illustration, 
where  the  law  simply  authorises  a company  to  provide  personal  information  to  government 
authorities,  the  exception  would  not  apply.  Conversely,  where  the  law  specifically  authorises  the 
company  to  provide  personal  information  to  government  agencies  without  the  individual’s  consent, 
this  would  constitute  an  “explicit  authorisation”  to  act  in  a manner  that  conflicts  with  the  safe 
harbour  principles.  Alternatively,  specific  exceptions  from  affirmative  requirements  to  provide 
notice  and  consent  would  fall  within  the  exception  (since  it  would  be  the  equivalent  of  a specific 
authorisation  to  disclose  the  information  without  notice  and  consent).  For  example,  a statute  which 
authorises  doctors  to  provide  their  patients’  medical  records  to  health  officials  without  the  patients’ 
prior  consent  might  permit  an  exception  from  the  notice  and  choice  principles.  This  authorisation 
would  not  permit  a doctor  to  provide  the  same  medical  records  to  health  maintenance  organisations 
or  commercial  pharmaceutical  research  laboratories,  which  would  be  beyond  the  scope  of  the 
purposes  authorised  by  the  law  and  therefore  beyond  the  scope  of  the  exception  ...  The  legal 
authority  in  question  can  be  a “stand  alone”  authorisation  to  do  specific  things  with  personal 
information,  but,  as  the  examples  below  illustrate,  it  is  likely  to  be  an  exception  to  a broader  law 
which  proscribes  the  collection,  use,  or  disclosure  of  personal  information. 


Communication  COM(2013)  846 final 

11  On  27  November  2013  the  Commission  adopted  the  communication  to  the  European  Parliament 
and  the  Council  entitled  ‘Rebuilding  Trust  in  EU-US  Data  Flows’  (COM(2013)  846  final) 
(‘Communication  COM(2013)  846  final’).  The  communication  was  accompanied  by  the  ‘Report  on 
the  Findings  by  the  EU  Co-chairs  of  the  ad  hoc  EU-US  Working  Group  on  Data  Protection’ , also 
dated  27  November  2013.  That  report  was  drawn  up,  as  stated  in  point  1 thereof,  in  cooperation 
with  the  United  States  after  the  existence  in  that  country  of  a number  of  surveillance  programmes 
involving  the  large-scale  collection  and  processing  of  personal  data  had  been  revealed.  The  report 
contained  inter  alia  a detailed  analysis  of  United  States  law  as  regards,  in  particular,  the  legal  bases 
authorising  the  existence  of  surveillance  programmes  and  the  collection  and  processing  of  personal 
data  by  United  States  authorities. 

12  In  point  1 of  Communication  COM(2013)  846  final,  the  Commission  stated  that  ‘[commercial 
exchanges  are  addressed  by  Decision  [2000/520]’,  adding  that  ‘[t]his  Decision  provides  a legal  basis 
for  transfers  of  personal  data  from  the  [European  Union]  to  companies  established  in  the  [United 
States]  which  have  adhered  to  the  Safe  Harbour  Privacy  Principles’.  In  addition,  the  Commission 
underlined  in  point  1 the  increasing  relevance  of  personal  data  flows,  owing  in  particular  to  the 
development  of  the  digital  economy  which  has  indeed  Ted  to  exponential  growth  in  the  quantity, 
quality,  diversity  and  nature  of  data  processing  activities’. 

13  In  point  2 of  that  communication,  the  Commission  observed  that  ‘concerns  about  the  level  of 
protection  of  personal  data  of  [Union]  citizens  transferred  to  the  [United  States]  under  the  Safe 
Harbour  scheme  have  grown’  and  that  ‘[t]he  voluntary  and  declaratory  nature  of  the  scheme  has 
sharpened  focus  on  its  transparency  and  enforcement’. 

14  It  further  stated  in  point  2 that  ‘[t]he  personal  data  of  [Union]  citizens  sent  to  the  [United  States] 
under  the  Safe  Harbour  may  be  accessed  and  further  processed  by  US  authorities  in  a way 
incompatible  with  the  grounds  on  which  the  data  was  originally  collected  in  the  [European  Union] 
and  the  purposes  for  which  it  was  transferred  to  the  [United  States]’  and  that  ‘[a]  majority  of  the  US 
internet  companies  that  appear  to  be  more  directly  concerned  by  [the  surveillance]  programmes  are 


certified  under  the  Safe  Harbour  scheme’. 


15  In  point  3.2  of  Communication  COM(2013)  846  final,  the  Commission  noted  a number  of 
weaknesses  in  the  application  of  Decision  2000/520.  It  stated,  first,  that  some  certified  United  States 
companies  did  not  comply  with  the  principles  referred  to  in  Article  1(1)  of  Decision  2000/520  (‘the 
safe  harbour  principles’)  and  that  improvements  had  to  be  made  to  that  decision  regarding 
‘structural  shortcomings  related  to  transparency  and  enforcement,  the  substantive  Safe  Harbour 
principles  and  the  operation  of  the  national  security  exception’.  It  observed,  secondly,  that  ‘Safe 
Harbour  also  acts  as  a conduit  for  the  transfer  of  the  personal  data  of  EU  citizens  from  the 
[European  Union]  to  the  [United  States]  by  companies  required  to  surrender  data  to  US  intelligence 
agencies  under  the  US  intelligence  collection  programmes’. 

16  The  Commission  concluded  in  point  3.2  that  whilst,  ‘[g]iven  the  weaknesses  identified,  the  current 
implementation  of  Safe  Harbour  cannot  be  maintained,  ...  its  revocation  would [,  however,] 
adversely  affect  the  interests  of  member  companies  in  the  [European  Union]  and  in  the  [United 
States]’.  Finally,  the  Commission  added  in  that  point  that  it  would  ‘engage  with  the  US  authorities 
to  discuss  the  shortcomings  identified’ . 

Communication  COM(2013)  847 final 

17  On  the  same  date,  27  November  2013,  the  Commission  adopted  the  communication  to  the 
European  Parliament  and  the  Council  on  the  Functioning  of  the  Safe  Harbour  from  the  Perspective 
of  EU  Citizens  and  Companies  Established  in  the  [European  Union]  (COM(2013)  847  final) 
(‘Communication  COM(2013)  847  final’).  As  is  clear  from  point  1 thereof,  that  communication  was 
based  inter  alia  on  information  received  in  the  ad  hoc  EU-US  Working  Group  and  followed  two 
Commission  assessment  reports  published  in  2002  and  2004  respectively. 

18  Point  1 of  Communication  COM(2013)  847  final  explains  that  the  functioning  of  Decision 
2000/520  ‘relies  on  commitments  and  self-certification  of  adhering  companies’,  adding  that 
‘ [s]igning  up  to  these  arrangements  is  voluntary,  but  the  rules  are  binding  for  those  who  sign  up’ . 

19  In  addition,  it  is  apparent  from  point  2.2  of  Communication  COM(2013)  847  final  that,  as  at 
26  September  2013,  3 246  companies,  falling  within  many  industry  and  services  sectors,  were 
certified.  Those  companies  mainly  provided  services  in  the  EU  internal  market,  in  particular  in  the 
internet  sector,  and  some  of  them  were  EU  companies  which  had  subsidiaries  in  the  United  States. 
Some  of  those  companies  processed  the  data  of  their  employees  in  Europe  which  was  transferred  to 
the  United  States  for  human  resource  purposes. 

20  The  Commission  stated  in  point  2.2  that  ‘[a]ny  gap  in  transparency  or  in  enforcement  on  the  US 
side  results  in  responsibility  being  shifted  to  European  data  protection  authorities  and  to  the 
companies  which  use  the  scheme’ . 

21  It  is  apparent,  in  particular,  from  points  3 to  5 and  8 of  Communication  COM(2013)  847  final  that, 
in  practice,  a significant  number  of  certified  companies  did  not  comply,  or  did  not  comply  fully,  with 
the  safe  harbour  principles. 

22  In  addition,  the  Commission  stated  in  point  7 of  Communication  COM(2013)  847  final  that  ‘all 
companies  involved  in  the  PRISM  programme  [a  large-scale  intelligence  collection  programme], 
and  which  grant  access  to  US  authorities  to  data  stored  and  processed  in  the  [United  States],  appear 
to  be  Safe  Harbour  certified’  and  that  ‘[t]his  has  made  the  Safe  Harbour  scheme  one  of  the  conduits 
through  which  access  is  given  to  US  intelligence  authorities  to  collecting  personal  data  initially 
processed  in  the  [European  Union]’.  In  that  regard,  the  Commission  noted  in  point  7.1  of  that 
communication  that  ‘a  number  of  legal  bases  under  US  law  allow  large-scale  collection  and 
processing  of  personal  data  that  is  stored  or  otherwise  processed  [by]  companies  based  in  the 
[United  States]’  and  that  ‘[t]he  large-scale  nature  of  these  programmes  may  result  in  data  transferred 


under  Safe  Harbour  being  accessed  and  further  processed  by  US  authorities  beyond  what  is  strictly 
necessary  and  proportionate  to  the  protection  of  national  security  as  foreseen  under  the  exception 
provided  in  [Decision  2000/520]’. 

23  In  point  7.2  of  Communication  COM(2013)  847  final,  headed  ‘Limitations  and  redress 
possibilities’,  the  Commission  noted  that  ‘safeguards  that  are  provided  under  US  law  are  mostly 
available  to  US  citizens  or  legal  residents’  and  that,  ‘[mjoreover,  there  are  no  opportunities  for  either 
EU  or  US  data  subjects  to  obtain  access,  rectification  or  erasure  of  data,  or  administrative  or  judicial 
redress  with  regard  to  collection  and  further  processing  of  their  personal  data  taking  place  under  the 
US  surveillance  programmes’. 

24  According  to  point  8 of  Communication  COM(2013)  847  final,  the  certified  companies  included 
‘[w]eb  companies  such  as  Google,  Facebook,  Microsoft,  Apple,  Yahoo’,  which  had  ‘hundreds  of 
millions  of  clients  in  Europe’  and  transferred  personal  data  to  the  United  States  for  processing. 

25  The  Commission  concluded  in  point  8 that  ‘the  large-scale  access  by  intelligence  agencies  to  data 
transferred  to  the  [United  States]  by  Safe  Harbour  certified  companies  raises  additional  serious 
questions  regarding  the  continuity  of  data  protection  rights  of  Europeans  when  their  data  is 
transferred  to  the  [United  States]  ’ . 

The  dispute  in  the  main  proceedings  and  the  questions  referred  for  a preliminary  ruling 

26  Mr  Schrems,  an  Austrian  national  residing  in  Austria,  has  been  a user  of  the  Facebook  social 
network  (‘Facebook’)  since  2008. 

27  Any  person  residing  in  the  European  Union  who  wishes  to  use  Facebook  is  required  to  conclude,  at 
the  time  of  his  registration,  a contract  with  Facebook  Ireland,  a subsidiary  of  Facebook  Inc.  which  is 
itself  established  in  the  United  States.  Some  or  all  of  the  personal  data  of  Facebook  Ireland’s  users 
who  reside  in  the  European  Union  is  transferred  to  servers  belonging  to  Facebook  Inc.  that  are 
located  in  the  United  States,  where  it  undergoes  processing. 

28  On  25  June  2013  Mr  Schrems  made  a complaint  to  the  Commissioner  by  which  he  in  essence  asked 
the  latter  to  exercise  his  statutory  powers  by  prohibiting  Facebook  Ireland  from  transferring  his 
personal  data  to  the  United  States.  He  contended  in  his  complaint  that  the  law  and  practice  in  force 
in  that  country  did  not  ensure  adequate  protection  of  the  personal  data  held  in  its  territory  against  the 
surveillance  activities  that  were  engaged  in  there  by  the  public  authorities.  Mr  Schrems  referred  in 
this  regard  to  the  revelations  made  by  Edward  Snowden  concerning  the  activities  of  the  United 
States  intelligence  services,  in  particular  those  of  the  National  Security  Agency  (‘the  NSA’). 

29  Since  the  Commissioner  took  the  view  that  he  was  not  required  to  investigate  the  matters  raised  by 
Mr  Schrems  in  the  complaint,  he  rejected  it  as  unfounded.  The  Commissioner  considered  that  there 
was  no  evidence  that  Mr  Schrems’  personal  data  had  been  accessed  by  the  NSA.  He  added  that  the 
allegations  raised  by  Mr  Schrems  in  his  complaint  could  not  be  profitably  put  forward  since  any 
question  of  the  adequacy  of  data  protection  in  the  United  States  had  to  be  determined  in  accordance 
with  Decision  2000/520  and  the  Commission  had  found  in  that  decision  that  the  United  States 
ensured  an  adequate  level  of  protection. 

30  Mr  Schrems  brought  an  action  before  the  High  Court  challenging  the  decision  at  issue  in  the  main 
proceedings.  After  considering  the  evidence  adduced  by  the  parties  to  the  main  proceedings,  the 
High  Court  found  that  the  electronic  surveillance  and  interception  of  personal  data  transferred  from 
the  European  Union  to  the  United  States  serve  necessary  and  indispensable  objectives  in  the  public 
interest.  However,  it  added  that  the  revelations  made  by  Edward  Snowden  had  demonstrated  a 
‘significant  over-reach’  on  the  part  of  the  NSA  and  other  federal  agencies. 


31  According  to  the  High  Court,  Union  citizens  have  no  effective  right  to  be  heard.  Oversight  of  the 
intelligence  services’  actions  is  carried  out  within  the  framework  of  an  ex  parte  and  secret 
procedure.  Once  the  personal  data  has  been  transferred  to  the  United  States,  it  is  capable  of  being 
accessed  by  the  NS  A and  other  federal  agencies,  such  as  the  Federal  Bureau  of  Investigation  (FBI), 
in  the  course  of  the  indiscriminate  surveillance  and  interception  carried  out  by  them  on  a large  scale. 

32  The  High  Court  stated  that  Irish  law  precludes  the  transfer  of  personal  data  outside  national 
territory  save  where  the  third  country  ensures  an  adequate  level  of  protection  for  privacy  and 
fundamental  rights  and  freedoms.  The  importance  of  the  rights  to  privacy  and  to  inviolability  of  the 
dwelling,  which  are  guaranteed  by  the  Irish  Constitution,  requires  that  any  interference  with  those 
rights  be  proportionate  and  in  accordance  with  the  law. 

33  The  High  Court  held  that  the  mass  and  undifferentiated  accessing  of  personal  data  is  clearly 
contrary  to  the  principle  of  proportionality  and  the  fundamental  values  protected  by  the  Irish 
Constitution.  In  order  for  interception  of  electronic  communications  to  be  regarded  as  consistent 
with  the  Irish  Constitution,  it  would  be  necessary  to  demonstrate  that  the  interception  is  targeted, 
that  the  surveillance  of  certain  persons  or  groups  of  persons  is  objectively  justified  in  the  interests  of 
national  security  or  the  suppression  of  crime  and  that  there  are  appropriate  and  verifiable  safeguards. 
Thus,  according  to  the  High  Court,  if  the  main  proceedings  were  to  be  disposed  of  on  the  basis  of 
Irish  law  alone,  it  would  then  have  to  be  found  that,  given  the  existence  of  a serious  doubt  as  to 
whether  the  United  States  ensures  an  adequate  level  of  protection  of  personal  data,  the 
Commissioner  should  have  proceeded  to  investigate  the  matters  raised  by  Mr  Schrems  in  his 
complaint  and  that  the  Commissioner  was  wrong  in  rejecting  the  complaint. 

34  However,  the  High  Court  considers  that  this  case  concerns  the  implementation  of  EU  law  as 
referred  to  in  Article  51  of  the  Charter  and  that  the  legality  of  the  decision  at  issue  in  the  main 
proceedings  must  therefore  be  assessed  in  the  light  of  EU  law.  According  to  the  High  Court, 
Decision  2000/520  does  not  satisfy  the  requirements  flowing  both  from  Articles  7 and  8 of  the 
Charter  and  from  the  principles  set  out  by  the  Court  of  Justice  in  the  judgment  in  Digital  Rights 
Ireland  and  Others  (C-293/12  and  C-594/12,  EU:C:2014:238).  The  right  to  respect  for  private  life, 
guaranteed  by  Article  7 of  the  Charter  and  by  the  core  values  common  to  the  traditions  of  the 
Member  States,  would  be  rendered  meaningless  if  the  State  authorities  were  authorised  to  access 
electronic  communications  on  a casual  and  generalised  basis  without  any  objective  justification 
based  on  considerations  of  national  security  or  the  prevention  of  crime  that  are  specific  to  the 
individual  concerned  and  without  those  practices  being  accompanied  by  appropriate  and  verifiable 
safeguards. 

35  The  High  Court  further  observes  that  in  his  action  Mr  Schrems  in  reality  raises  the  legality  of  the 
safe  harbour  regime  which  was  established  by  Decision  2000/520  and  gives  rise  to  the  decision  at 
issue  in  the  main  proceedings.  Thus,  even  though  Mr  Schrems  has  not  formally  contested  the 
validity  of  either  Directive  95/46  or  Decision  2000/520,  the  question  is  raised,  according  to  the  High 
Court,  as  to  whether,  on  account  of  Article  25(6)  of  Directive  95/46,  the  Commissioner  was  bound 
by  the  Commission’s  finding  in  Decision  2000/520  that  the  United  States  ensures  an  adequate  level 
of  protection  or  whether  Article  8 of  the  Charter  authorised  the  Commissioner  to  break  free,  if 
appropriate,  from  such  a finding. 

36  In  those  circumstances  the  High  Court  decided  to  stay  the  proceedings  and  to  refer  the  following 
questions  to  the  Court  of  Justice  for  a preliminary  ruling: 

‘(1)  Whether  in  the  course  of  determining  a complaint  which  has  been  made  to  an  independent 
office  holder  who  has  been  vested  by  statute  with  the  functions  of  administering  and  enforcing 
data  protection  legislation  that  personal  data  is  being  transferred  to  another  third  country  (in 
this  case,  the  United  States  of  America)  the  laws  and  practices  of  which,  it  is  claimed,  do  not 
contain  adequate  protections  for  the  data  subject,  that  office  holder  is  absolutely  bound  by  the 


Community  finding  to  the  contrary  contained  in  [Decision  2000/520]  having  regard  to 
Article  7,  Article  8 and  Article  47  of  [the  Charter],  the  provisions  of  Article  25(6)  of  Directive 
[95/46]  notwithstanding? 

(2)  Or,  alternatively,  may  and/or  must  the  office  holder  conduct  his  or  her  own  investigation  of 
the  matter  in  the  light  of  factual  developments  in  the  meantime  since  that  Commission 
decision  was  first  published?’ 


Consideration  of  the  questions  referred 

37  By  its  questions,  which  it  is  appropriate  to  examine  together,  the  referring  court  asks,  in  essence, 
whether  and  to  what  extent  Article  25(6)  of  Directive  95/46,  read  in  the  light  of  Articles  7,  8 and  47 
of  the  Charter,  must  be  interpreted  as  meaning  that  a decision  adopted  pursuant  to  that  provision, 
such  as  Decision  2000/520,  by  which  the  Commission  finds  that  a third  country  ensures  an  adequate 
level  of  protection,  prevents  a supervisory  authority  of  a Member  State,  within  the  meaning  of 
Article  28  of  that  directive,  from  being  able  to  examine  the  claim  of  a person  concerning  the 
protection  of  his  rights  and  freedoms  in  regard  to  the  processing  of  personal  data  relating  to  him 
which  has  been  transferred  from  a Member  State  to  that  third  country  when  that  person  contends 
that  the  law  and  practices  in  force  in  the  third  country  do  not  ensure  an  adequate  level  of  protection. 

The  powers  of  the  national  supervisory  authorities,  within  the  meaning  of  Article  28  of  Directive 
95/46,  when  the  Commission  has  adopted  a decision  pursuant  to  Article  25(6 ) of  that  directive 

38  It  should  be  recalled  first  of  all  that  the  provisions  of  Directive  95/46,  inasmuch  as  they  govern  the 
processing  of  personal  data  liable  to  infringe  fundamental  freedoms,  in  particular  the  right  to  respect 
for  private  life,  must  necessarily  be  interpreted  in  the  light  of  the  fundamental  rights  guaranteed  by 
the  Charter  (see  judgments  in  Osterreichischer  Rundfunk  and  Others , C -465/00,  C- 138/01  and 
C-139/01,  EU:C:2003:294,  paragraph  68;  Google  Spain  and  Google,  C-131/12,  EU:C:2014:317, 
paragraph  68;  and  Rynes,  C-212/13,  EU:C:2014:2428,  paragraph  29). 

39  It  is  apparent  from  Article  1 of  Directive  95/46  and  recitals  2 and  10  in  its  preamble  that  that 
directive  seeks  to  ensure  not  only  effective  and  complete  protection  of  the  fundamental  rights  and 
freedoms  of  natural  persons,  in  particular  the  fundamental  right  to  respect  for  private  life  with 
regard  to  the  processing  of  personal  data,  but  also  a high  level  of  protection  of  those  fundamental 
rights  and  freedoms.  The  importance  of  both  the  fundamental  right  to  respect  for  private  life, 
guaranteed  by  Article  7 of  the  Charter,  and  the  fundamental  right  to  the  protection  of  personal  data, 
guaranteed  by  Article  8 thereof,  is,  moreover,  emphasised  in  the  case-law  of  the  Court  (see 
judgments  in  Rijkeboer,  C-553/07,  EU:C:2009:293,  paragraph  47;  Digital  Rights  Ireland  and 
Others,  C-293/12  and  C-594/12,  EU:C:2014:238,  paragraph  53;  and  Google  Spain  and  Google, 
C-131/12,  EU:C:2014:317,  paragraphs,  53,  66,  74  and  the  case-law  cited). 

40  As  regards  the  powers  available  to  the  national  supervisory  authorities  in  respect  of  transfers  of 
personal  data  to  third  countries,  it  should  be  noted  that  Article  28(1)  of  Directive  95/46  requires 
Member  States  to  set  up  one  or  more  public  authorities  responsible  for  monitoring,  with  complete 
independence,  compliance  with  EU  rules  on  the  protection  of  individuals  with  regard  to  the 
processing  of  such  data.  In  addition,  that  requirement  derives  from  the  primary  law  of  the  European 
Union,  in  particular  Article  8(3)  of  the  Charter  and  Article  16(2)  TFEU  (see,  to  this  effect, 
judgments  in  Commission  v Austria,  C-614/10,  EU:C:2012:631,  paragraph  36,  and  Commission  v 
Hungary,  C-288/12,  EU:C:2014:237,  paragraph  47). 

41  The  guarantee  of  the  independence  of  national  supervisory  authorities  is  intended  to  ensure  the 
effectiveness  and  reliability  of  the  monitoring  of  compliance  with  the  provisions  concerning 
protection  of  individuals  with  regard  to  the  processing  of  personal  data  and  must  be  interpreted  in 


the  light  of  that  aim.  It  was  established  in  order  to  strengthen  the  protection  of  individuals  and 
bodies  affected  by  the  decisions  of  those  authorities.  The  establishment  in  Member  States  of 
independent  supervisory  authorities  is  therefore,  as  stated  in  recital  62  in  the  preamble  to  Directive 
95/46,  an  essential  component  of  the  protection  of  individuals  with  regard  to  the  processing  of 
personal  data  (see  judgments  in  Commission  v Germany,  C-518/07,  EU:C:2010:125,  paragraph  25, 
and  Commission  v Hungary,  C-288/12,  EU:C:2014:237,  paragraph  48  and  the  case-law  cited). 

42  In  order  to  guarantee  that  protection,  the  national  supervisory  authorities  must,  in  particular,  ensure 
a fair  balance  between,  on  the  one  hand,  observance  of  the  fundamental  right  to  privacy  and,  on  the 
other  hand,  the  interests  requiring  free  movement  of  personal  data  (see,  to  this  effect,  judgments  in 
Commission  v Germany,  C-518/07,  EU:C:2010:125,  paragraph  24,  and  Commission  v Hungary, 
C-288/12,  EU:C:2014:237,  paragraph  51). 

43  The  national  supervisory  authorities  have  a wide  range  of  powers  for  that  purpose.  Those  powers, 
listed  on  a non-exhau stive  basis  in  Article  28(3)  of  Directive  95/46,  constitute  necessary  means  to 
perform  their  duties,  as  stated  in  recital  63  in  the  preamble  to  the  directive.  Thus,  those  authorities 
possess,  in  particular,  investigative  powers,  such  as  the  power  to  collect  all  the  information 
necessary  for  the  performance  of  their  supervisory  duties,  effective  powers  of  intervention,  such  as 
that  of  imposing  a temporary  or  definitive  ban  on  processing  of  data,  and  the  power  to  engage  in 
legal  proceedings. 

44  It  is,  admittedly,  apparent  from  Article  28(1)  and  (6)  of  Directive  95/46  that  the  powers  of  the 
national  supervisory  authorities  concern  processing  of  personal  data  carried  out  on  the  territory  of 
their  own  Member  State,  so  that  they  do  not  have  powers  on  the  basis  of  Article  28  in  respect  of 
processing  of  such  data  carried  out  in  a third  country. 

45  However,  the  operation  consisting  in  having  personal  data  transferred  from  a Member  State  to  a 
third  country  constitutes,  in  itself,  processing  of  personal  data  within  the  meaning  of  Article  2(b)  of 
Directive  95/46  (see,  to  this  effect,  judgment  in  Parliament  v Council  and  Commission,  C-3 17/04 
and  C-3 18/04,  EU:C:2006:346,  paragraph  56)  carried  out  in  a Member  State.  That  provision  defines 
‘processing  of  personal  data’  as  ‘any  operation  or  set  of  operations  which  is  performed  upon 
personal  data,  whether  or  not  by  automatic  means’  and  mentions,  by  way  of  example,  ‘disclosure  by 
transmission,  dissemination  or  otherwise  making  available’. 

46  Recital  60  in  the  preamble  to  Directive  95/46  states  that  transfers  of  personal  data  to  third  countries 
may  be  effected  only  in  full  compliance  with  the  provisions  adopted  by  the  Member  States  pursuant 
to  the  directive.  In  that  regard,  Chapter  IV  of  the  directive,  in  which  Articles  25  and  26  appear,  has 
set  up  a regime  intended  to  ensure  that  the  Member  States  oversee  transfers  of  personal  data  to  third 
countries.  That  regime  is  complementary  to  the  general  regime  set  up  by  Chapter  II  of  the  directive 
laying  down  the  general  rules  on  the  lawfulness  of  the  processing  of  personal  data  (see,  to  this 
effect,  judgment  in  Lindqvist,  C- 101/01,  EU:C:2003:596,  paragraph  63). 

47  As,  in  accordance  with  Article  8(3)  of  the  Charter  and  Article  28  of  Directive  95/46,  the  national 
supervisory  authorities  are  responsible  for  monitoring  compliance  with  the  EU  rules  concerning  the 
protection  of  individuals  with  regard  to  the  processing  of  personal  data,  each  of  them  is  therefore 
vested  with  the  power  to  check  whether  a transfer  of  personal  data  from  its  own  Member  State  to  a 
third  country  complies  with  the  requirements  laid  down  by  Directive  95/46. 

48  Whilst  acknowledging,  in  recital  56  in  its  preamble,  that  transfers  of  personal  data  from  the 
Member  States  to  third  countries  are  necessary  for  the  expansion  of  international  trade,  Directive 
95/46  lays  down  as  a principle,  in  Article  25(1),  that  such  transfers  may  take  place  only  if  the  third 
country  ensures  an  adequate  level  of  protection. 

49  Furthermore,  recital  57  states  that  transfers  of  personal  data  to  third  countries  not  ensuring  an 


adequate  level  of  protection  must  be  prohibited. 


50  In  order  to  control  transfers  of  personal  data  to  third  countries  according  to  the  level  of  protection 
accorded  to  it  in  each  of  those  countries,  Article  25  of  Directive  95/46  imposes  a series  of 
obligations  on  the  Member  States  and  the  Commission.  It  is  apparent,  in  particular,  from  that  article 
that  the  finding  that  a third  country  does  or  does  not  ensure  an  adequate  level  of  protection  may,  as 
the  Advocate  General  has  observed  in  point  86  of  his  Opinion,  be  made  either  by  the  Member  States 
or  by  the  Commission. 

5 1 The  Commission  may  adopt,  on  the  basis  of  Article  25(6)  of  Directive  95/46,  a decision  finding  that 
a third  country  ensures  an  adequate  level  of  protection.  In  accordance  with  the  second  subparagraph 
of  that  provision,  such  a decision  is  addressed  to  the  Member  States,  who  must  take  the  measures 
necessary  to  comply  with  it.  Pursuant  to  the  fourth  paragraph  of  Article  288  TFEU,  it  is  binding  on 
all  the  Member  States  to  which  it  is  addressed  and  is  therefore  binding  on  all  their  organs  (see,  to 
this  effect,  judgments  in  Albako  Margarinefabrik,  249/85,  EU:C:  1987:245,  paragraph  17,  and 
Mediaset , C-69/13,  EU:C:2014:71,  paragraph  23)  in  so  far  as  it  has  the  effect  of  authorising 
transfers  of  personal  data  from  the  Member  States  to  the  third  country  covered  by  it. 

52  Thus,  until  such  time  as  the  Commission  decision  is  declared  invalid  by  the  Court,  the  Member 
States  and  their  organs,  which  include  their  independent  supervisory  authorities,  admittedly  cannot 
adopt  measures  contrary  to  that  decision,  such  as  acts  intended  to  determine  with  binding  effect  that 
the  third  country  covered  by  it  does  not  ensure  an  adequate  level  of  protection.  Measures  of  the  EU 
institutions  are  in  principle  presumed  to  be  lawful  and  accordingly  produce  legal  effects  until  such 
time  as  they  are  withdrawn,  annulled  in  an  action  for  annulment  or  declared  invalid  following  a 
reference  for  a preliminary  ruling  or  a plea  of  illegality  (judgment  in  Commission  v Greece , 
C-475/01,  EU:C:2004:585,  paragraph  18  and  the  case-law  cited). 

53  However,  a Commission  decision  adopted  pursuant  to  Article  25(6)  of  Directive  95/46,  such  as 
Decision  2000/520,  cannot  prevent  persons  whose  personal  data  has  been  or  could  be  transferred  to 
a third  country  from  lodging  with  the  national  supervisory  authorities  a claim,  within  the  meaning  of 
Article  28(4)  of  that  directive,  concerning  the  protection  of  their  rights  and  freedoms  in  regard  to  the 
processing  of  that  data.  Likewise,  as  the  Advocate  General  has  observed  in  particular  in  points  61, 
93  and  116  of  his  Opinion,  a decision  of  that  nature  cannot  eliminate  or  reduce  the  powers  expressly 
accorded  to  the  national  supervisory  authorities  by  Article  8(3)  of  the  Charter  and  Article  28  of  the 
directive. 

54  Neither  Article  8(3)  of  the  Charter  nor  Article  28  of  Directive  95/46  excludes  from  the  national 
supervisory  authorities’  sphere  of  competence  the  oversight  of  transfers  of  personal  data  to  third 
countries  which  have  been  the  subject  of  a Commission  decision  pursuant  to  Article  25(6)  of 
Directive  95/46. 

55  In  particular,  the  first  subparagraph  of  Article  28(4)  of  Directive  95/46,  under  which  the  national 
supervisory  authorities  are  to  hear  ‘claims  lodged  by  any  person  ...  concerning  the  protection  of  his 
rights  and  freedoms  in  regard  to  the  processing  of  personal  data’ , does  not  provide  for  any  exception 
in  this  regard  where  the  Commission  has  adopted  a decision  pursuant  to  Article  25(6)  of  that 
directive. 

56  Furthermore,  it  would  be  contrary  to  the  system  set  up  by  Directive  95/46  and  to  the  objective  of 
Articles  25  and  28  thereof  for  a Commission  decision  adopted  pursuant  to  Article  25(6)  to  have  the 
effect  of  preventing  a national  supervisory  authority  from  examining  a person’s  claim  concerning 
the  protection  of  his  rights  and  freedoms  in  regard  to  the  processing  of  his  personal  data  which  has 
been  or  could  be  transferred  from  a Member  State  to  the  third  country  covered  by  that  decision. 

57  On  the  contrary,  Article  28  of  Directive  95/46  applies,  by  its  very  nature,  to  any  processing  of 
personal  data.  Thus,  even  if  the  Commission  has  adopted  a decision  pursuant  to  Article  25(6)  of  that 


directive,  the  national  supervisory  authorities,  when  hearing  a claim  lodged  by  a person  concerning 
the  protection  of  his  rights  and  freedoms  in  regard  to  the  processing  of  personal  data  relating  to  him, 
must  be  able  to  examine,  with  complete  independence,  whether  the  transfer  of  that  data  complies 
with  the  requirements  laid  down  by  the  directive. 

58  If  that  were  not  so,  persons  whose  personal  data  has  been  or  could  be  transferred  to  the  third 
country  concerned  would  be  denied  the  right,  guaranteed  by  Article  8(1)  and  (3)  of  the  Charter,  to 
lodge  with  the  national  supervisory  authorities  a claim  for  the  purpose  of  protecting  their 
fundamental  rights  (see,  by  analogy,  judgment  in  Digital  Rights  Ireland  and  Others , C-293/12  and 
C-594/12,  EU:C:2014:238,  paragraph  68). 

59  A claim,  within  the  meaning  of  Article  28(4)  of  Directive  95/46,  by  which  a person  whose  personal 
data  has  been  or  could  be  transferred  to  a third  country  contends,  as  in  the  main  proceedings,  that, 
notwithstanding  what  the  Commission  has  found  in  a decision  adopted  pursuant  to  Article  25(6)  of 
that  directive,  the  law  and  practices  of  that  country  do  not  ensure  an  adequate  level  of  protection 
must  be  understood  as  concerning,  in  essence,  whether  that  decision  is  compatible  with  the 
protection  of  the  privacy  and  of  the  fundamental  rights  and  freedoms  of  individuals. 

60  In  this  connection,  the  Court’s  settled  case-law  should  be  recalled  according  to  which  the  European 
Union  is  a union  based  on  the  rule  of  law  in  which  all  acts  of  its  institutions  are  subject  to  review  of 
their  compatibility  with,  in  particular,  the  Treaties,  general  principles  of  law  and  fundamental  rights 
(see,  to  this  effect,  judgments  in  Commission  and  Others  v Kadi , C-584/10  P,  C-593/10  P and 
C-595/10  P,  EU:C:2013:518,  paragraph  66;  Inuit  Tapiriit  Kanatami  and  Others  v Parliament  and 
Council , C— 583/1 1 P,  EU:C:2013:625,  paragraph  91;  and  Telefonica  v Commission,  C-274/12  P, 
EU:C:2013:852,  paragraph  56).  Commission  decisions  adopted  pursuant  to  Article  25(6)  of 
Directive  95/46  cannot  therefore  escape  such  review. 

61  That  said,  the  Court  alone  has  jurisdiction  to  declare  that  an  EU  act,  such  as  a Commission  decision 
adopted  pursuant  to  Article  25(6)  of  Directive  95/46,  is  invalid,  the  exclusivity  of  that  jurisdiction 
having  the  purpose  of  guaranteeing  legal  certainty  by  ensuring  that  EU  law  is  applied  uniformly  (see 
judgments  in  Melki  and  Abdeli,  C-188/10  and  C-189/10,  EU:C:2010:363,  paragraph  54,  and 
CIVAD,  C-533/10,  EU:C:2012:347,  paragraph  40). 

62  Whilst  the  national  courts  are  admittedly  entitled  to  consider  the  validity  of  an  EU  act,  such  as  a 
Commission  decision  adopted  pursuant  to  Article  25(6)  of  Directive  95/46,  they  are  not,  however, 
endowed  with  the  power  to  declare  such  an  act  invalid  themselves  (see,  to  this  effect,  judgments  in 
Foto-Frost,  314/85,  EU:C:  1987:452,  paragraphs  15  to  20,  and  IATA  and  ELFAA,  C-344/04, 
EU:C:2006:10,  paragraph  27).  A fortiori,  when  the  national  supervisory  authorities  examine  a claim, 
within  the  meaning  of  Article  28(4)  of  that  directive,  concerning  the  compatibility  of  a Commission 
decision  adopted  pursuant  to  Article  25(6)  of  the  directive  with  the  protection  of  the  privacy  and  of 
the  fundamental  rights  and  freedoms  of  individuals,  they  are  not  entitled  to  declare  that  decision 
invalid  themselves. 

63  Having  regard  to  those  considerations,  where  a person  whose  personal  data  has  been  or  could  be 
transferred  to  a third  country  which  has  been  the  subject  of  a Commission  decision  pursuant  to 
Article  25(6)  of  Directive  95/46  lodges  with  a national  supervisory  authority  a claim  concerning  the 
protection  of  his  rights  and  freedoms  in  regard  to  the  processing  of  that  data  and  contests,  in 
bringing  the  claim,  as  in  the  main  proceedings,  the  compatibility  of  that  decision  with  the  protection 
of  the  privacy  and  of  the  fundamental  rights  and  freedoms  of  individuals,  it  is  incumbent  upon  the 
national  supervisory  authority  to  examine  the  claim  with  all  due  diligence. 

64  In  a situation  where  the  national  supervisory  authority  comes  to  the  conclusion  that  the  arguments 
put  forward  in  support  of  such  a claim  are  unfounded  and  therefore  rejects  it,  the  person  who  lodged 
the  claim  must,  as  is  apparent  from  the  second  subparagraph  of  Article  28(3)  of  Directive  95/46, 


read  in  the  light  of  Article  47  of  the  Charter,  have  access  to  judicial  remedies  enabling  him  to 
challenge  such  a decision  adversely  affecting  him  before  the  national  courts.  Having  regard  to  the 
case-law  cited  in  paragraphs  61  and  62  of  the  present  judgment,  those  courts  must  stay  proceedings 
and  make  a reference  to  the  Court  for  a preliminary  ruling  on  validity  where  they  consider  that  one 
or  more  grounds  for  invalidity  put  forward  by  the  parties  or,  as  the  case  may  be,  raised  by  them  of 
their  own  motion  are  well  founded  (see,  to  this  effect,  judgment  in  T & L Sugars  and  Sidul  Agucares 
v Commission , C-456/13  P,  EU:C:2015:284,  paragraph  48  and  the  case-law  cited). 

65  In  the  converse  situation,  where  the  national  supervisory  authority  considers  that  the  objections 
advanced  by  the  person  who  has  lodged  with  it  a claim  concerning  the  protection  of  his  rights  and 
freedoms  in  regard  to  the  processing  of  his  personal  data  are  well  founded,  that  authority  must,  in 
accordance  with  the  third  indent  of  the  first  subparagraph  of  Article  28(3)  of  Directive  95/46,  read  in 
the  light  in  particular  of  Article  8(3)  of  the  Charter,  be  able  to  engage  in  legal  proceedings.  It  is 
incumbent  upon  the  national  legislature  to  provide  for  legal  remedies  enabling  the  national 
supervisory  authority  concerned  to  put  forward  the  objections  which  it  considers  well  founded 
before  the  national  courts  in  order  for  them,  if  they  share  its  doubts  as  to  the  validity  of  the 
Commission  decision,  to  make  a reference  for  a preliminary  ruling  for  the  purpose  of  examination 
of  the  decision’s  validity. 

66  Having  regard  to  the  foregoing  considerations,  the  answer  to  the  questions  referred  is  that 
Article  25(6)  of  Directive  95/46,  read  in  the  light  of  Articles  7,  8 and  47  of  the  Charter,  must  be 
interpreted  as  meaning  that  a decision  adopted  pursuant  to  that  provision,  such  as  Decision 
2000/520,  by  which  the  Commission  finds  that  a third  country  ensures  an  adequate  level  of 
protection,  does  not  prevent  a supervisory  authority  of  a Member  State,  within  the  meaning  of 
Article  28  of  that  directive,  from  examining  the  claim  of  a person  concerning  the  protection  of  his 
rights  and  freedoms  in  regard  to  the  processing  of  personal  data  relating  to  him  which  has  been 
transferred  from  a Member  State  to  that  third  country  when  that  person  contends  that  the  law  and 
practices  in  force  in  the  third  country  do  not  ensure  an  adequate  level  of  protection. 

The  validity  of  Decision  2000/520 

67  As  is  apparent  from  the  referring  court’s  explanations  relating  to  the  questions  submitted, 
Mr  Schrems  contends  in  the  main  proceedings  that  United  States  law  and  practice  do  not  ensure  an 
adequate  level  of  protection  within  the  meaning  of  Article  25  of  Directive  95/46.  As  the  Advocate 
General  has  observed  in  points  123  and  124  of  his  Opinion,  Mr  Schrems  expresses  doubts,  which 
the  referring  court  indeed  seems  essentially  to  share,  concerning  the  validity  of  Decision  2000/520. 
In  such  circumstances,  having  regard  to  what  has  been  held  in  paragraphs  60  to  63  of  the  present 
judgment  and  in  order  to  give  the  referring  court  a full  answer,  it  should  be  examined  whether  that 
decision  complies  with  the  requirements  stemming  from  Directive  95/46  read  in  the  light  of  the 
Charter. 

The  requirements  stemming  from  Article  25(6)  of  Directive  95/46 

68  As  has  already  been  pointed  out  in  paragraphs  48  and  49  of  the  present  judgment,  Article  25(1)  of 
Directive  95/46  prohibits  transfers  of  personal  data  to  a third  country  not  ensuring  an  adequate  level 
of  protection. 

69  However,  for  the  purpose  of  overseeing  such  transfers,  the  first  subparagraph  of  Article  25(6)  of 
Directive  95/46  provides  that  the  Commission  ‘may  find  ...  that  a third  country  ensures  an  adequate 
level  of  protection  within  the  meaning  of  paragraph  2 of  this  Article,  by  reason  of  its  domestic  law 
or  of  the  international  commitments  it  has  entered  into  . . . , for  the  protection  of  the  private  lives  and 
basic  freedoms  and  rights  of  individuals’. 

70  It  is  true  that  neither  Article  25(2)  of  Directive  95/46  nor  any  other  provision  of  the  directive 
contains  a definition  of  the  concept  of  an  adequate  level  of  protection.  In  particular,  Article  25(2) 


does  no  more  than  state  that  the  adequacy  of  the  level  of  protection  afforded  by  a third  country 
‘shall  be  assessed  in  the  light  of  all  the  circumstances  surrounding  a data  transfer  operation  or  set  of 
data  transfer  operations’  and  lists,  on  a non-exhaustive  basis,  the  circumstances  to  which 
consideration  must  be  given  when  carrying  out  such  an  assessment. 

71  However,  first,  as  is  apparent  from  the  very  wording  of  Article  25(6)  of  Directive  95/46,  that 
provision  requires  that  a third  country  ‘ensures’  an  adequate  level  of  protection  by  reason  of  its 
domestic  law  or  its  international  commitments.  Secondly,  according  to  the  same  provision,  the 
adequacy  of  the  protection  ensured  by  the  third  country  is  assessed  ‘for  the  protection  of  the  private 
lives  and  basic  freedoms  and  rights  of  individuals’. 

72  Thus,  Article  25(6)  of  Directive  95/46  implements  the  express  obligation  laid  down  in  Article  8(1) 
of  the  Charter  to  protect  personal  data  and,  as  the  Advocate  General  has  observed  in  point  139  of  his 
Opinion,  is  intended  to  ensure  that  the  high  level  of  that  protection  continues  where  personal  data  is 
transferred  to  a third  country. 

73  The  word  ‘adequate’  in  Article  25(6)  of  Directive  95/46  admittedly  signifies  that  a third  country 
cannot  be  required  to  ensure  a level  of  protection  identical  to  that  guaranteed  in  the  EU  legal  order. 
However,  as  the  Advocate  General  has  observed  in  point  141  of  his  Opinion,  the  term  ‘adequate 
level  of  protection’  must  be  understood  as  requiring  the  third  country  in  fact  to  ensure,  by  reason  of 
its  domestic  law  or  its  international  commitments,  a level  of  protection  of  fundamental  rights  and 
freedoms  that  is  essentially  equivalent  to  that  guaranteed  within  the  European  Union  by  virtue  of 
Directive  95/46  read  in  the  light  of  the  Charter.  If  there  were  no  such  requirement,  the  objective 
referred  to  in  the  previous  paragraph  of  the  present  judgment  would  be  disregarded.  Furthermore, 
the  high  level  of  protection  guaranteed  by  Directive  95/46  read  in  the  light  of  the  Charter  could 
easily  be  circumvented  by  transfers  of  personal  data  from  the  European  Union  to  third  countries  for 
the  purpose  of  being  processed  in  those  countries. 

74  It  is  clear  from  the  express  wording  of  Article  25(6)  of  Directive  95/46  that  it  is  the  legal  order  of 
the  third  country  covered  by  the  Commission  decision  that  must  ensure  an  adequate  level  of 
protection.  Even  though  the  means  to  which  that  third  country  has  recourse,  in  this  connection,  for 
the  purpose  of  ensuring  such  a level  of  protection  may  differ  from  those  employed  within  the 
European  Union  in  order  to  ensure  that  the  requirements  stemming  from  Directive  95/46  read  in  the 
light  of  the  Charter  are  complied  with,  those  means  must  nevertheless  prove,  in  practice,  effective  in 
order  to  ensure  protection  essentially  equivalent  to  that  guaranteed  within  the  European  Union. 

75  Accordingly,  when  examining  the  level  of  protection  afforded  by  a third  country,  the  Commission 
is  obliged  to  assess  the  content  of  the  applicable  rules  in  that  country  resulting  from  its  domestic  law 
or  international  commitments  and  the  practice  designed  to  ensure  compliance  with  those  rules,  since 
it  must,  under  Article  25(2)  of  Directive  95/46,  take  account  of  all  the  circumstances  surrounding  a 
transfer  of  personal  data  to  a third  country. 

76  Also,  in  the  light  of  the  fact  that  the  level  of  protection  ensured  by  a third  country  is  liable  to 
change,  it  is  incumbent  upon  the  Commission,  after  it  has  adopted  a decision  pursuant  to 
Article  25(6)  of  Directive  95/46,  to  check  periodically  whether  the  finding  relating  to  the  adequacy 
of  the  level  of  protection  ensured  by  the  third  country  in  question  is  still  factually  and  legally 
justified.  Such  a check  is  required,  in  any  event,  when  evidence  gives  rise  to  a doubt  in  that  regard. 

77  Moreover,  as  the  Advocate  General  has  stated  in  points  134  and  135  of  his  Opinion,  when  the 
validity  of  a Commission  decision  adopted  pursuant  to  Article  25(6)  of  Directive  95/46  is  examined, 
account  must  also  be  taken  of  the  circumstances  that  have  arisen  after  that  decision’s  adoption. 

78  In  this  regard,  it  must  be  stated  that,  in  view  of,  first,  the  important  role  played  by  the  protection  of 
personal  data  in  the  light  of  the  fundamental  right  to  respect  for  private  life  and,  secondly,  the  large 
number  of  persons  whose  fundamental  rights  are  liable  to  be  infringed  where  personal  data  is 


transferred  to  a third  country  not  ensuring  an  adequate  level  of  protection,  the  Commission’s 
discretion  as  to  the  adequacy  of  the  level  of  protection  ensured  by  a third  country  is  reduced,  with 
the  result  that  review  of  the  requirements  stemming  from  Article  25  of  Directive  95/46,  read  in  the 
light  of  the  Charter,  should  be  strict  (see,  by  analogy,  judgment  in  Digital  Rights  Ireland  and  Others , 
C-293/12  and  C-594/12,  EU:C:2014:238,  paragraphs  47  and  48). 

Article  1 of  Decision  2000/520 

79  The  Commission  found  in  Article  1(1)  of  Decision  2000/520  that  the  principles  set  out  in  Annex  I 
thereto,  implemented  in  accordance  with  the  guidance  provided  by  the  FAQs  set  out  in  Annex  II, 
ensure  an  adequate  level  of  protection  for  personal  data  transferred  from  the  European  Union  to 
organisations  established  in  the  United  States.  It  is  apparent  from  that  provision  that  both  those 
principles  and  the  FAQs  were  issued  by  the  United  States  Department  of  Commerce. 

80  An  organisation  adheres  to  the  safe  harbour  principles  on  the  basis  of  a system  of  self-certification, 
as  is  apparent  from  Article  1(2)  and  (3)  of  Decision  2000/520,  read  in  conjunction  with  FAQ  6 set 
out  in  Annex  II  thereto. 

81  Whilst  recourse  by  a third  country  to  a system  of  self-certification  is  not  in  itself  contrary  to  the 
requirement  laid  down  in  Article  25(6)  of  Directive  95/46  that  the  third  country  concerned  must 
ensure  an  adequate  level  of  protection  ‘by  reason  of  its  domestic  law  or  ...  international 
commitments’,  the  reliability  of  such  a system,  in  the  light  of  that  requirement,  is  founded 
essentially  on  the  establishment  of  effective  detection  and  supervision  mechanisms  enabling  any 
infringements  of  the  rules  ensuring  the  protection  of  fundamental  rights,  in  particular  the  right  to 
respect  for  private  life  and  the  right  to  protection  of  personal  data,  to  be  identified  and  punished  in 
practice. 

82  In  the  present  instance,  by  virtue  of  the  second  paragraph  of  Annex  I to  Decision  2000/520,  the  safe 
harbour  principles  are  ‘intended  for  use  solely  by  US  organisations  receiving  personal  data  from  the 
European  Union  for  the  purpose  of  qualifying  for  the  safe  harbour  and  the  presumption  of 
“adequacy”  it  creates’.  Those  principles  are  therefore  applicable  solely  to  self-certified  United  States 
organisations  receiving  personal  data  from  the  European  Union,  and  United  States  public  authorities 
are  not  required  to  comply  with  them. 

83  Moreover,  Decision  2000/520,  pursuant  to  Article  2 thereof,  ‘concerns  only  the  adequacy  of 
protection  provided  in  the  United  States  under  the  [safe  harbour  principles]  implemented  in 
accordance  with  the  FAQs  with  a view  to  meeting  the  requirements  of  Article  25(1)  of  Directive 
[95/46]’,  without,  however,  containing  sufficient  findings  regarding  the  measures  by  which  the 
United  States  ensures  an  adequate  level  of  protection,  within  the  meaning  of  Article  25(6)  of  that 
directive,  by  reason  of  its  domestic  law  or  its  international  commitments. 

84  In  addition,  under  the  fourth  paragraph  of  Annex  I to  Decision  2000/520,  the  applicability  of  the 
safe  harbour  principles  may  be  limited,  in  particular,  ‘to  the  extent  necessary  to  meet  national 
security,  public  interest,  or  law  enforcement  requirements’  and  ‘by  statute,  government  regulation, 
or  case-law  that  create  conflicting  obligations  or  explicit  authorisations,  provided  that,  in  exercising 
any  such  authorisation,  an  organisation  can  demonstrate  that  its  non-compliance  with  the  Principles 
is  limited  to  the  extent  necessary  to  meet  the  overriding  legitimate  interests  furthered  by  such 
authorisation’ . 

85  In  this  connection,  Decision  2000/520  states  in  Part  B of  Annex  IV,  with  regard  to  the  limits  to 
which  the  safe  harbour  principles’  applicability  is  subject,  that,  ‘[cjlearly,  where  US  law  imposes  a 
conflicting  obligation,  US  organisations  whether  in  the  safe  harbour  or  not  must  comply  with  the 
law’. 


86 


Thus,  Decision  2000/520  lays  down  that  ‘national  security,  public  interest,  or  law  enforcement 


requirements’  have  primacy  over  the  safe  harbour  principles,  primacy  pursuant  to  which  self- 
certified  United  States  organisations  receiving  personal  data  from  the  European  Union  are  bound  to 
disregard  those  principles  without  limitation  where  they  conflict  with  those  requirements  and 
therefore  prove  incompatible  with  them. 

87  In  the  light  of  the  general  nature  of  the  derogation  set  out  in  the  fourth  paragraph  of  Annex  I to 
Decision  2000/520,  that  decision  thus  enables  interference,  founded  on  national  security  and  public 
interest  requirements  or  on  domestic  legislation  of  the  United  States,  with  the  fundamental  rights  of 
the  persons  whose  personal  data  is  or  could  be  transferred  from  the  European  Union  to  the  United 
States.  To  establish  the  existence  of  an  interference  with  the  fundamental  right  to  respect  for  private 
life,  it  does  not  matter  whether  the  information  in  question  relating  to  private  life  is  sensitive  or 
whether  the  persons  concerned  have  suffered  any  adverse  consequences  on  account  of  that 
interference  (judgment  in  Digital  Rights  Ireland  and  Others,  C-293/12  and  C-594/12, 
EU:C: 20 14: 23 8,  paragraph  33  and  the  case-law  cited). 

88  In  addition,  Decision  2000/520  does  not  contain  any  finding  regarding  the  existence,  in  the  United 
States,  of  rules  adopted  by  the  State  intended  to  limit  any  interference  with  the  fundamental  rights  of 
the  persons  whose  data  is  transferred  from  the  European  Union  to  the  United  States,  interference 
which  the  State  entities  of  that  country  would  be  authorised  to  engage  in  when  they  pursue 
legitimate  objectives,  such  as  national  security. 

89  Nor  does  Decision  2000/520  refer  to  the  existence  of  effective  legal  protection  against  interference 
of  that  kind.  As  the  Advocate  General  has  observed  in  points  204  to  206  of  his  Opinion,  procedures 
before  the  Federal  Trade  Commission  — the  powers  of  which,  described  in  particular  in  FAQ  11  set 
out  in  Annex  II  to  that  decision,  are  limited  to  commercial  disputes  — and  the  private  dispute 
resolution  mechanisms  concern  compliance  by  the  United  States  undertakings  with  the  safe  harbour 
principles  and  cannot  be  applied  in  disputes  relating  to  the  legality  of  interference  with  fundamental 
rights  that  results  from  measures  originating  from  the  State. 

90  Moreover,  the  foregoing  analysis  of  Decision  2000/520  is  borne  out  by  the  Commission’s  own 
assessment  of  the  situation  resulting  from  the  implementation  of  that  decision.  Particularly  in 
points  2 and  3.2  of  Communication  COM(2013)  846  final  and  in  points  7.1,  7.2  and  8 of 
Communication  COM(2013)  847  final,  the  content  of  which  is  set  out  in  paragraphs  13  to  16  and 
paragraphs  22,  23  and  25  of  the  present  judgment  respectively,  the  Commission  found  that  the 
United  States  authorities  were  able  to  access  the  personal  data  transferred  from  the  Member  States 
to  the  United  States  and  process  it  in  a way  incompatible,  in  particular,  with  the  purposes  for  which 
it  was  transferred,  beyond  what  was  strictly  necessary  and  proportionate  to  the  protection  of  national 
security.  Also,  the  Commission  noted  that  the  data  subjects  had  no  administrative  or  judicial  means 
of  redress  enabling,  in  particular,  the  data  relating  to  them  to  be  accessed  and,  as  the  case  may  be, 
rectified  or  erased. 

91  As  regards  the  level  of  protection  of  fundamental  rights  and  freedoms  that  is  guaranteed  within  the 
European  Union,  EU  legislation  involving  interference  with  the  fundamental  rights  guaranteed  by 
Articles  7 and  8 of  the  Charter  must,  according  to  the  Court’s  settled  case-law,  lay  down  clear  and 
precise  rules  governing  the  scope  and  application  of  a measure  and  imposing  minimum  safeguards, 
so  that  the  persons  whose  personal  data  is  concerned  have  sufficient  guarantees  enabling  their  data 
to  be  effectively  protected  against  the  risk  of  abuse  and  against  any  unlawful  access  and  use  of  that 
data.  The  need  for  such  safeguards  is  all  the  greater  where  personal  data  is  subjected  to  automatic 
processing  and  where  there  is  a significant  risk  of  unlawful  access  to  that  data  (judgment  in  Digital 
Rights  Ireland  and  Others,  C-293/12  and  C-594/12,  EU:C:2014:238,  paragraphs  54  and  55  and  the 
case-law  cited). 

92  Furthermore  and  above  all,  protection  of  the  fundamental  right  to  respect  for  private  life  at  EU  level 
requires  derogations  and  limitations  in  relation  to  the  protection  of  personal  data  to  apply  only  in  so 


far  as  is  strictly  necessary  (judgment  in  Digital  Rights  Ireland  and  Others,  C-293/12  and  C-594/12, 
EU:C: 20 14: 23 8,  paragraph  52  and  the  case-law  cited). 

93  Legislation  is  not  limited  to  what  is  strictly  necessary  where  it  authorises,  on  a generalised  basis, 
storage  of  all  the  personal  data  of  all  the  persons  whose  data  has  been  transferred  from  the  European 
Union  to  the  United  States  without  any  differentiation,  limitation  or  exception  being  made  in  the 
light  of  the  objective  pursued  and  without  an  objective  criterion  being  laid  down  by  which  to 
determine  the  limits  of  the  access  of  the  public  authorities  to  the  data,  and  of  its  subsequent  use,  for 
purposes  which  are  specific,  strictly  restricted  and  capable  of  justifying  the  interference  which  both 
access  to  that  data  and  its  use  entail  (see,  to  this  effect,  concerning  Directive  2006/24/EC  of  the 
European  Parliament  and  of  the  Council  of  15  March  2006  on  the  retention  of  data  generated  or 
processed  in  connection  with  the  provision  of  publicly  available  electronic  communications  services 
or  of  public  communications  networks  and  amending  Directive  2002/58/EC  (OJ  2006  L 105,  p.  54), 
judgment  in  Digital  Rights  Ireland  and  Others,  C-293/12  and  C-594/12,  EU:C:2014:238, 
paragraphs  57  to  61). 

94  In  particular,  legislation  permitting  the  public  authorities  to  have  access  on  a generalised  basis  to 
the  content  of  electronic  communications  must  be  regarded  as  compromising  the  essence  of  the 
fundamental  right  to  respect  for  private  life,  as  guaranteed  by  Article  7 of  the  Charter  (see,  to  this 
effect,  judgment  in  Digital  Rights  Ireland  and  Others,  C-293/12  and  C-594/12,  EU:C:2014:238, 
paragraph  39). 

95  Likewise,  legislation  not  providing  for  any  possibility  for  an  individual  to  pursue  legal  remedies  in 
order  to  have  access  to  personal  data  relating  to  him,  or  to  obtain  the  rectification  or  erasure  of  such 
data,  does  not  respect  the  essence  of  the  fundamental  right  to  effective  judicial  protection,  as 
enshrined  in  Article  47  of  the  Charter.  The  first  paragraph  of  Article  47  of  the  Charter  requires 
everyone  whose  rights  and  freedoms  guaranteed  by  the  law  of  the  European  Union  are  violated  to 
have  the  right  to  an  effective  remedy  before  a tribunal  in  compliance  with  the  conditions  laid  down 
in  that  article.  The  very  existence  of  effective  judicial  review  designed  to  ensure  compliance  with 
provisions  of  EU  law  is  inherent  in  the  existence  of  the  rule  of  law  (see,  to  this  effect,  judgments  in 
Les  Verts  v Parliament,  294/83,  EU:C:  1986: 166,  paragraph  23;  Johnston,  222/84,  EU:C:  1986:206, 
paragraphs  18  and  19;  Heylens  and  Others,  222/86,  EU:C:  1987:442,  paragraph  14;  and  UGT-Rioja 
and  Others,  C-428/06  to  C-434/06,  EU:C:2008:488,  paragraph  80). 

96  As  has  been  found  in  particular  in  paragraphs  71,  73  and  74  of  the  present  judgment,  in  order  for 
the  Commission  to  adopt  a decision  pursuant  to  Article  25(6)  of  Directive  95/46,  it  must  find,  duly 
stating  reasons,  that  the  third  country  concerned  in  fact  ensures,  by  reason  of  its  domestic  law  or  its 
international  commitments,  a level  of  protection  of  fundamental  rights  essentially  equivalent  to  that 
guaranteed  in  the  EU  legal  order,  a level  that  is  apparent  in  particular  from  the  preceding  paragraphs 
of  the  present  judgment. 

97  However,  the  Commission  did  not  state,  in  Decision  2000/520,  that  the  United  States  in  fact 
‘ensures’  an  adequate  level  of  protection  by  reason  of  its  domestic  law  or  its  international 
commitments. 

98  Consequently,  without  there  being  any  need  to  examine  the  content  of  the  safe  harbour  principles,  it 
is  to  be  concluded  that  Article  1 of  Decision  2000/520  fails  to  comply  with  the  requirements  laid 
down  in  Article  25(6)  of  Directive  95/46,  read  in  the  light  of  the  Charter,  and  that  it  is  accordingly 
invalid. 

Article  3 of  Decision  2000/520 

99  It  is  apparent  from  the  considerations  set  out  in  paragraphs  53,  57  and  63  of  the  present  judgment 
that,  under  Article  28  of  Directive  95/46,  read  in  the  light  in  particular  of  Article  8 of  the  Charter, 


the  national  supervisory  authorities  must  be  able  to  examine,  with  complete  independence,  any 
claim  concerning  the  protection  of  a person’s  rights  and  freedoms  in  regard  to  the  processing  of 
personal  data  relating  to  him.  That  is  in  particular  the  case  where,  in  bringing  such  a claim,  that 
person  raises  questions  regarding  the  compatibility  of  a Commission  decision  adopted  pursuant  to 
Article  25(6)  of  that  directive  with  the  protection  of  the  privacy  and  of  the  fundamental  rights  and 
freedoms  of  individuals. 

100  However,  the  first  subparagraph  of  Article  3(1)  of  Decision  2000/520  lays  down  specific  rules 
regarding  the  powers  available  to  the  national  supervisory  authorities  in  the  light  of  a Commission 
finding  relating  to  an  adequate  level  of  protection,  within  the  meaning  of  Article  25  of  Directive 
95/46. 

101  Under  that  provision,  the  national  supervisory  authorities  may,  ‘[wjithout  prejudice  to  their  powers 
to  take  action  to  ensure  compliance  with  national  provisions  adopted  pursuant  to  provisions  other 
than  Article  25  of  Directive  [95/46] , . . . suspend  data  flows  to  an  organisation  that  has  self-certified 
its  adherence  to  the  [principles  of  Decision  2000/520]’,  under  restrictive  conditions  establishing  a 
high  threshold  for  intervention.  Whilst  that  provision  is  without  prejudice  to  the  powers  of  those 
authorities  to  take  action  to  ensure  compliance  with  national  provisions  adopted  pursuant  to 
Directive  95/46,  it  excludes,  on  the  other  hand,  the  possibility  of  them  taking  action  to  ensure 
compliance  with  Article  25  of  that  directive. 

102  The  first  subparagraph  of  Article  3(1)  of  Decision  2000/520  must  therefore  be  understood  as 
denying  the  national  supervisory  authorities  the  powers  which  they  derive  from  Article  28  of 
Directive  95/46,  where  a person,  in  bringing  a claim  under  that  provision,  puts  forward  matters  that 
may  call  into  question  whether  a Commission  decision  that  has  found,  on  the  basis  of  Article  25(6) 
of  the  directive,  that  a third  country  ensures  an  adequate  level  of  protection  is  compatible  with  the 
protection  of  the  privacy  and  of  the  fundamental  rights  and  freedoms  of  individuals. 

103  The  implementing  power  granted  by  the  EU  legislature  to  the  Commission  in  Article  25(6)  of 
Directive  95/46  does  not  confer  upon  it  competence  to  restrict  the  national  supervisory  authorities’ 
powers  referred  to  in  the  previous  paragraph  of  the  present  judgment. 

104  That  being  so,  it  must  be  held  that,  in  adopting  Article  3 of  Decision  2000/520,  the  Commission 
exceeded  the  power  which  is  conferred  upon  it  in  Article  25(6)  of  Directive  95/46,  read  in  the  light 
of  the  Charter,  and  that  Article  3 of  the  decision  is  therefore  invalid. 

105  As  Articles  1 and  3 of  Decision  2000/520  are  inseparable  from  Articles  2 and  4 of  that  decision  and 
the  annexes  thereto,  their  invalidity  affects  the  validity  of  the  decision  in  its  entirety. 

106  Having  regard  to  all  the  foregoing  considerations,  it  is  to  be  concluded  that  Decision  2000/520  is 
invalid. 

Costs 

107  Since  these  proceedings  are,  for  the  parties  to  the  main  proceedings,  a step  in  the  action  pending 
before  the  referring  court,  the  decision  on  costs  is  a matter  for  that  court.  Costs  incurred  in 
submitting  observations  to  the  Court,  other  than  the  costs  of  those  parties,  are  not  recoverable. 


On  those  grounds,  the  Court  (Grand  Chamber)  hereby  rules: 

1.  Article  25(6)  of  Directive  95/46/EC  of  the  European  Parliament  and  of  the  Council  of 
24  October  1995  on  the  protection  of  individuals  with  regard  to  the  processing  of 
personal  data  and  on  the  free  movement  of  such  data  as  amended  by  Regulation  (EC) 


No  1882/2003  of  the  European  Parliament  and  of  the  Council  of  29  September  2003,  read 
in  the  light  of  Articles  7,  8 and  47  of  the  Charter  of  Fundamental  Rights  of  the  European 
Union,  must  be  interpreted  as  meaning  that  a decision  adopted  pursuant  to  that 
provision,  such  as  Commission  Decision  2000/520/EC  of  26  July  2000  pursuant  to 
Directive  95/46  on  the  adequacy  of  the  protection  provided  by  the  safe  harbour  privacy 
principles  and  related  frequently  asked  questions  issued  by  the  US  Department  of 
Commerce,  by  which  the  European  Commission  finds  that  a third  country  ensures  an 
adequate  level  of  protection,  does  not  prevent  a supervisory  authority  of  a Member 
State,  within  the  meaning  of  Article  28  of  that  directive  as  amended,  from  examining  the 
claim  of  a person  concerning  the  protection  of  his  rights  and  freedoms  in  regard  to  the 
processing  of  personal  data  relating  to  him  which  has  been  transferred  from  a Member 
State  to  that  third  country  when  that  person  contends  that  the  law  and  practices  in  force 
in  the  third  country  do  not  ensure  an  adequate  level  of  protection. 

2.  Decision  2000/520  is  invalid. 

[Signatures] 


* Language  of  the  case:  English. 


